
boh and Notation 



u 

m 

IGE 

D K CO 



M 

mud 
n! 

0ft] 
ord(a) 

ftjfn) 
z 

2 + 



Divides 

Does, uoL cILvkLc 
\^ * Coneaienalioii 
v^) Equality 
'^jS^s equality 
^ongrueoee 
Af^roxirciiatc; cquaEity 

Therefo^r 
Product \ 
Summation 
Modular aiku'rmu^ 
Modular mu]UphWlnj> 

O 



order of n group 
Symmetric-key deciyptjwi 



O 



I'll!: 

.0 



Saeed Book 

W !W wt11(5M.hK:W« ltW 

l.l #3.»i.ftJllTe^. 

]r.ilhnilhljl"t CE 



Euler's phi-function 
Fennat iiLiaubcr 
Greatest common divisor 
The Fmitc field of order 2 n 
l"he fiuite fictd of order 
Merschnc number 

modulo operator (remainder after division^) 
Faetorisj 
Big-0 notation 
Order of a 

Number of prime* less than a 
Set of i ntegers 

Set of norinegative integers less than n 

Set of normegative integers less mail n. and coprime to ri 



McGraw-Hill ^puzan Networking Series 

Titles by Beh«w A. Fortran: 

Cryptography and NenvorkSfifourity 
Data Communicatloti-i and Nhmn-kmg 
TCP/IF Protocol Suite >/ 
Local A tea Netwo rks \ 
Business Data Ctmitmmicatiwis. y <j 



o 




^ Cryptography 

and 




work Security 

Behrou^. Forouzan 



o 



O 




o 



Tata McGraw-Hill Publishing Company Limited 

NEW DELHI 



McGraw-Hill Offices 

New Delhi New York St Louis San Francisco Auckland Bogota Caracas 
KuaJa Lumpur Lisbon London Madrid Mexico City Milan Mpnlroal 
San Juan Santiago Singapore Sydney Tokyo Toronto 



Tata McGraw-Hill ^ 



Wpecinl Indian Edition 21)07 ^ 

Published in India by arrangement wi ie McGraw-Hill Companies, Inc., New York 
Sale* Territories: India, Pakistan, Ne anularicsli, Sri Lanka ^nd Bhutan 
Cryptography and Network Security (S^ 

Copy right O 200$, by The MeGraw- Mill Commies i Inc. A1S Rights reserved. Ho part of this publication 1 
tuny be reproduced or distributed in any form oM&auy means, electronic, mechanical photocopying 
records n^ or otherwise or stored in a dainbii.se or retrieval system without the prior written permission of 
The McGraw-Hill Companies, [tic. including, but TToplkriited to, in any network or other electronic storage 
or transmission, or broadcast for distance learning. ^ 

ISBN-13: #7t4 0f7 A 
ISBN- 10: 0-07^fiQ46-g " 

Genera L Manager : PubSis]nng-5UM ft T*ch Ed ; ^^g0^m 

Jr, Editorial Bxccuiivc: Mltmjtm Chstkrm'uny S\ 

A.^i Sponsoring Editor: ShatiniJha /\ 

Editorial Service* Executive; Sohirii Mtrfdserrce \ 

G^neruJ Manager . Market tnx - Bfgtef Education & School : Michael J Cruz 
Product Manajj.u.r : SEM &Ti^ch Ed ; flf/w GaTtemn 

i : r: I c= 1 1 i Pp-MUiCt I on: Rui<;vtk \ f {iiinnsriti v/^ 
A<^t. t'reru;rji| Manager- Production: S L Daft fa 
Senior Prcniuctiuji M mi tiger: J 3 A Pandrta 

v9* 



t ei J lm-i nation contained in this work has: been obtained by Tata McGraw-Hill, fr&rk sources believed to 
be reliable. However, neither Tata McGraw-Hill nor its authors guaranvL the accuracy or 
completeness of any information published herein, and neither Tata McGra w-HiLkinHt^ authors .thai! 
he responsible for artv errors, omissions, or damages arising out of use of this infcitjoation. This work 
is published with the understanding that Tata McGraw-Hill and its authors are supplying information 
buL are not attempting to render engineering or other professional services. If such->services are 
jequire d, tlae assi stance of an appropriate profe ssional should be sought. 

% 

Published by the Tata McGraw-Hill Publishing Company Limited, 7 West Patel Nagar, New Delhi 1 10 008 
arid printed at pasbupati Printers (P'"i Ltd., 429/16, Gals No. t a Friends Colony, Industrial Area, G. T. Road> 
Shuhadra, Ctel hi- 110 095 

Cover" Rashtriya 

DZLQCRAYRQDRY 



IkMtimMl (unvote 




1031 

I of 
irage 



ha] I 
■nrk 

titm 



10 008 
Road. 



2 



7b m 




loved daughter and son-in-law, Satara and Shane 

o 



o 





i I 



1.2 



1 3 



1,4 



1.5 



1.6 



1.7 
1,8 
1-5 



2.1 



fill rotlifci ion 1 



<S> - 

Chaptern- 

SECURITY Qfi(AUS 2 

Integrity 3 \ 

ATTACKS 3 X> 
A u iiL- k s. 1 h rcitensti g Concern i n I i i y .'{ 
Attacks Threatening Inte^rtlw 4 
Attacks Threatening Avai I l^/ti y 5 
Passive Versus Active A [lack% 5 
SERVICES AN D MECH A M % 
SeeiirUv Semites 6 \ 
Seturisy MecjiaEii^ms 7 \^ 
Relation between Services and Met^i^r™ ^ 
TECHNIQUES 9 jH, 
Cryptography 9 

Stegariograplsy 10 ^\ 
Tl IE REST OF THE BOOK 1 2 

One: Syj rimcl/ic-Key fttiej phcrmeni I 
Part ' [w(] : Asymmetric-Key EncipherEiiem 1 2 
ElarlThjtK- Integrity, Auihcnticatiori, and Key Mrm^cmenl 
E^rt Four Network Security 12 

RECOMMENDED READING 12 
Bwks ] 2 
WebSite* ] 2- 
KRY TERMS 13 
SUM MARY 13 
PRACTICE SET I A 
l^cvieu- Questions M 
Exercises 14 

Pa rt 1 Symmetric- Key Enciph#rm$nt 1 7 
Chapter 2 Mathematics of Cfypfographv 19 

INTFXjER AR [ TH METI C 20 
Set of Integers. 20 



CONTENTS 



\ 

Binary Operations 20 
Jnu;ger Divisififk 2\ 
Divisibility a£ > 
Linear DLopltn Equations 2S 

2.2 MODULAR AfOT>IMLTrC 29 
Mody lo Operator 

Set of Residues! v tK 
CmEgnience 30 >x 
Opennions in 7^ 32 Qv 
Inverses 35 

Addi tion and Multiplication ^JM 39 
Dit^u-m Sets foi Addition u-k! VULij?N;::iiir.r 8 39 
Twn More Sec, 40 

2.3 MATRICES 4C ^ 
Definilioju 40 /A 
□pertibrtrks and Rejaliflns 4 1 \* 
l^elerminanL 43 \ ^ 
Enveisea 44 

Residue Matrices 4^ (\ 

2.4 LINEAR CONGRUENCE 45 M 
Single-Variable Linear Equations 45 ^ ^ 
Stt uf Linear Equ.ithon4i 46 \v 

2.5 RECOMMENDED READING 47 • v 

Bixiks 47 
WebSites 47 

2.6 KL-Y TERMS 47 \ 

2.7 SUMMARY i8 O 
2^8 PRACTICE SET 49 v£X 

Review Questions 49 -r^\ 
Exercises 49 

C h a pter 3 Traditional Symmerric-Key Clphe rs 5.Q 

3.1 INTRODUCTION 56 

Kertkhoffs ] > rimjiplc 57 # 
Cryptnnafv^is 57 

Categories of Traditional Ciphers 60 

3.2 SUBSTITUTION CIPHERS 61 
MonoaiphabctLc Ci phers 6 1 

Poly alphabetic Ciphers 69 
3 3 TRA NSPOSITION CIPHERS SO 

Key Jess Transp^i r ion Ciphers I 

Keyed Transposition Ciphers £2 

Combi ning Two Approaches g ] 
3 T 4 STREAM AND BLOCK CIPHERS 87 

Sircam Ciphers fi7 

Block Ciphers 

Combination 89 

3 5 RECOMMENDED RE ADLN G 90 

Books 90 



<$» 

% WebSites 90 
3-6^ KEY TERMS 90 
3.V ^SUMMARY 91 
3.8 V PRACTICE ShT 92 
ivw Qoeslicm* 92 
Excises 92 

^ cmatics of Cryptog raphy 97 

4.1 ALGEii^MC STRUCTURES r .M 
Groups 

Ring ^^^A 
FieW 105 V 
Summary 30^\ 

4.2 GF(2 fl ) FIELD^IQ? 
Polynomials I08y>* 

I Jsing a Generator !i>^ 
■Summary I |7 v. * 

4.3 RECOMMENCED RIDING ] 1 7 
Book* 117 ^\ 
WebSite (17 

4.4 KEY TERMS I I S 

4.5 SUMMARY IIS 

4.6 PRACTICE SET Jig _ 
Review Questions 1 {9 \^ 
Exercise* 119 Q 



Chapter 5 Introduction to fifckrn Symmetric-Key 

Ciphers 123 

5.1 MODERN EEQCK CIPHERS 124 



Substitution or Transposition 125 



Block Ciphers as Pcnnutalf&n Groups ] 25 
Components of a Modem B lock Cipher 123 
S-Bo*,cs 132 
Product Cipher 136 

Two C I asses of Product Ciphers a 39 CJ) 
A tlecks on B lock Ciphers 1 43 vj) 
52 MODERN 7 STREAM CIPHERS 148 ^ 
Synchronous Stream Ciphers 149 
Nonsynchronous Stream Ci pliers 1 54 

5 .3 RECOMME K DEC READING 1 54 
Book* 154 

WebSites 134 

5.4 KEY TERMS 154 

5.5 SUMMARY 155 
5& PRACTICE SET 156 

Review Questions 156 
Exercises 137 



COWEiYTS 



Chapter 6 Data Encryption Standard (DFS) /59 

ft- J I NT ROD ^JION \59 
History 15#p 
Overview ^6f?>A 

6. 2 DES STRUCnJfi^ 1 60 
Initial: wnd Final Permutations 1 60 
Rounds 163 Qv 

Cipher and Reverse Ci^r 167 

6 . 3 DES ANALYS IS 1 75^ . 
Propa-ries 1 75 \ 
rteisn Criteria 176 

DbS Weaknesses 1 77 ^ 

6.4 MULTIPLE DES 181 ^ 

Triple DES I K4 \^ 
S-S SEOJRJTYOPDES I&5 

Bniry-Furoe Attack l 85 ^\ 

Di ffcrenlial Cry ptanal ysis 1 

Lsnear CrypLiiiaJy.sis I S6 \ 
6 6 RECOMMENDED READING 186 (^) 

Books Tg6 # 

WebSite liS 

6.7 KEY TERMS LR6 > 

6.8 SUMMARY 187 \ 

6.9 PRACTICE SET 187 Q 



Rcvi cw Questions \ H 7 

Exercises 183 



Chapter? $ dvan red k tic ryp fit -n S ! t mdfi rd f /\£(S) 191 

7.L INTRODUCTION 191 O 
History 191 
Criteria (92 

Rounds 192 * ^ 

Dtfa Unite 193 Q> 
Structure of Bach Round 195 ^) 
7.2 TRANSFORMATIONS 196 

SulvstiLiSEmn 1% 
Permutation 202 
Mixing 201 
Key Adding 20$ 
73 KEY EXPANSION 207 

Key Expansion in AES- 1 28 205 
Key Expansion m AES - 1 92 3rd AES ■ 256 t i 2 
Key -Expansion AnaW sis 212 
7.4 CIPHERS 213 

Original Desjgu- 213 
Alternative Design 2\A 



% 

EXAMPLES 2 16 
Jvfi ANALYSIS OFAES 2J9 
f r\ Sfrcurily 219 
y^IinplcmeistiiiiQn 21 l ) 

7 . 7 (^mQU M £N DED READING 220 
Vriakfc 220 
^^&tcs 220 
7.B KtivjlERMS 220 
7.9 SUh*PMVRY 220 
7.30 PR ACtpB mj 221 
Review Qup^tTons 221 

Chapter 8 V^/ift^ermmE ^iftg Modem Symmetric-Key 

(p'ip)u>rs 225 

S 1 USB OF MOOEli^ OCK CIPHERS 225 
Electron it Cudcbiufc <|?CBj Mode 226 
Cipher HUjtk Chaining tfjfecj Mode 22$ 
Cipher I Redback (CFB) Hrf^ 23 f 
Output Feedback (OFB) Mtsdv tSU 
Counter (CTR) Mode 236 (^) 

8.2 LIKE OF STREAM CIPHER P? 
RC4 238 
A5/I 242 



CONTENTS 



RC4 238 ^ 
8*3 OTHER ISSUES 244 



Key Management 244 Q 
Key Generation 244 (\ 



^6 



S.4 RKTOMMiiNDED R HADING 
LSooks 245 
WebSites 245 
&$ KEY TERMS 245 O 
K.fi SUMMARY 245 
8.7 PRACTICE SET 246 

Review Questions 246 ' * ^ 

Exerches 247 Q > 

Part 2 Asymmetric-Key Enciphermem 249 

Ch a pte r 9 M athenu* tics of Cryptograph v 2 J J 

9A PRIMES 251 
r>cfsnilLon 251 
Cardi natity of Pri mc\ 252 
Checking for Primene^ 252 
Eylcr's Flu-Function 254 
Format's Liule Theorem 256 
Filler's Theorem 257 
( ifitflJSpti rig Pn ii ics 25 ft 



CONTENTS 



9*2 PRJM^ITY TEST! NG 260 
OekrminKilic A I gnri tin m.s 260 
Probabi kisiifcftL guru Km s 2f> t 
R ceo mm cndl^J^i i j Ly Tbst 266 
P FACTORIZATION 267 

Fundamental TO^mi of Amhmetic 267 
Pylori ziitLD]i M^iKl?3)sj 26$ 
FerrriEiE Method 2( 
Polljsrdp I MeihmP 
Pollard rfio Method 
Molc btticiertr Mm hods 

9 4 CHINESE REMAIN DIiR^HEOREM 274 

Applications 275 \^ 
9.5 QUADRATIC CONGRUENCE 276 

Qn udraitc Cmi gmence Modulo ^fYruc 276 

Qyjidmiic Commence Modulo a C^mpo^i te 277 
9.f> EXPONHNTT ATION AND LOQAR3THM 27E 

ExponcLitialson 279 * .V 

Logarithm 281 C . 

9.7 RECOMMENDED READING 2«£> 

Book* 286 r\ 

WebSites 236 /r\ 
y.H KEY TERMS 2g6 ^ V 

9.9 SUMMARY 287 • > 

9.10 PRACTICE SET 2S8 \) 
Review Questions 288 v/^ 
E*crcis££ 288 

C h apter 1 0 A symmetric- Key Cryptog rnph^^93 

10. 1 INTRODUCTION 293 ^\ 
Keys 294 vO 
tiecicriil [dca 294 ' Q 

Nc* d for Both 296 ^ 
Trapdoor On l- Way FuiicTiojL 2% ^ 
Kiia^aek Cry prosy stem 298 • 

I 0.2 RS A C R YFTOS YSTFM 30 1 
Lntroducitiofi 301 
Procedure 30l 
Some Trivial Exanipks 304 
Attacks on R3A 3G3 
Kouommcuriations 310 

Optimal Asy nmieuic Encryption Pa-ild 1 he (O AEP) 3 U 
Applications 314 
1 03 RABIN CRY PTOS YSTEM 3 1 4 
Procedure 3 ! 5 

Security of ihc Rabi n System 3 1 7 
1 0.4 m G AM A L, CR YPTOS Y STEM 3 1 7 
il( sftrrtk L Cry ptosy tilcm 3 17 
Procedure 317 




CONTENTS 

\ . 

Analyst 319 
* ^ Security of ElGamal 320 

Application 32 1 
1 0.rp ELLt POC CURVE CR YPTOS Y5TEM S 32 1 
o£|] iptic Curves over Real Nu mber.s 321 
> ™£rtic Curves over GF(/>) 324 
jc Cu rves over GF(2*) 326 

C ! urvc Cryptography S inrna] ating EIGama! 328 
10.6 RECOMMENDED READING 330 
Books vlbfl 




Mi. 



10.7 KEY TERMS 331 
I0.S SUMMARY^ 33] 
30,9 PRACTICE kSV^ 333 

Review Quesiioi^M33 

Exercises 334 y>* 

Pa rt 3 / ntegntyM0ie.ntication> and Key Management 33 7 
Chapter 1 1 Mm^ Integrity and Message Authentication 339 

J J . I MESSAG E TNTEGR IT Y(^3 9 
Document and Fingerprint "3^ 
Message and M cs&age Digest 3^ 
Difference 34*) vl^ . 

Ciiecking Integrity 340 
Cryptographic Hash Function CrUcria(")40 

11.2 RANDOM ORACLE MODEL 34^h 
Pigeonlwk Principle 345 V ^c\ 
Birthday Problems 345 V)** 
Attacks nn Random .Oracle Mode! 347 X\) 
Ai t<ie ts. on the Structure 35 ] 

1 1 .3 ME S S AGE AUTHENTICATION 352 
Modiiic-diion. Detection Code 352 
Message Authens Station Code ( M AC i >3 

1 1 -4 RECOMMENDED READING 357 C\ 
Bonks 357 
WebSites 357 

1 1 .5 KEY TERMS 357 

11.6 SUMMARY 358 
1 1.7 PRACTICE SET 358 

Review Questions **fl 
Kxerases 3,"v9 



C h a pte r 1 2 Cryptograph ic Hash Functions 363 

I2J INTRODUCTION 363 
Iterated I Lash Function 363 

Groups of Compr&ssi on Functi ons. 364 



\22 SHA-*ft 367 
tiitrodutaion 367 
< Jnn ipa^ssfdjtyutnc Li on 372 

1 2.3 Wl ttRLPQ 

Wh i r] poo ! Cip'njpr jp j 1 

5sriiTiiEiy.ty !384*^) 

Analysis 384 /T\ . 
[ 2.4 RECOM M E NDEKBE AD ENG 3 84 

Books 334 V^v 

WebSites 384 *p 

12.5 K.RY TERMS 385 y>* 

12.6 SUMMARY 

12.7 PRACTICE Shi 1 3S6 
Review Qpiej^tHSs 386 ^ ^ 
Kxercsses 386 O 

C h a pte r 1 3 Dig tori SignauQ 389 

I3,l COMPARISON 390, 

Inclusion 390 \ 
VferificaiioTi Method ^6 (^) 
Relationship ^90 # 
DupLicny 390 

(3d PROCESS 390 > 

NewL far Keys 391 \* 

Signing eIk [digest 392 Q 
13,3 SHR VICES 393 O 

Message Authentication 39^ 

Message Integrity 393 

NonrcpudiiHion 333 

Confidentiality 394 
1 ZA ATTACKS ON DIGITAL SIGNATURE 393 

A Hack "types 395 

Forgtry Tyj>es .195 
13^ DIGITAL SIC NAT LIRE SCHEMES 396 

RSA pjgitnl Signature Scheme 3 £ J6 

ElGamsii Digital Signature Scheme 400 

Sermon Digits] S i£iiatuffc Scheme 403 

Di gital Signature Srandani [DSS ) 405 

El lipiie Curve Di g iial S ignalure Selid ne 407 

1 3 .6 VA NATIONS AND A PPLIC ATIONS 409 
Variations 
Applications 41 1 

13.7 RECOMMENDED READING 41 1 
Books 411 
WebSite* 4U 

13.8 KHY'lTERMS 412 



o 



CONTENTS 

*ZJA3 SUMMARY 432 
J 3. It) PRACTICE SliT 413 
* r\ Review Questions 413 
^^£5cen;iy;s 413 

C^fehapter 1 4 Entity A uthentication 41 5 

14 A l^RODUCTIO^ 415 

] ta^Jrigin Versus Enrtl y A uthc micatiem 41 5 
Verif^S^ion Categories 4 ] 6 
Entity ^Ahenticatiou and Kcv Management 416 
14.2 PASSWORDS 416 
Pi wd Pass^Jorrf 4 1 6 
Qnc-Time PtoWord 4 1 9 
T4..3 CKALLENtM^ESPONSE 421 
Using a Symmrtpd^Key Cipher 42] 
Using Keyed -Ha>h Fusions 423 
U*in£ Asymmeu^-l£ey Cipher 424 
Using DLgitai Signati 
1 4.4 ZERO- K NO WLEDi 
F^c-Shamir Protocol 
Hcific-PiaL-Sliamir ProioccH 42y 
Cju i Hou-Qu i squater Protnc:o(^}l ?$ 
L4.5 BIOMETRICS 430 # 
Conipcjncnts 431 

Enroll mem 431 ^ \ 

hmhenlieation 431 "\ 
Technique 432 Q 




Accuracy 433 

Applications 434 rv 

1 4.6 RECOMMENDED REA DING 4 34^ 
Book.s 434 
WebSites. 4-34 

14.7 KEY TERMS 434 
I4,S SUMMARY 435 

14.0 PRACTICE SET 435 # 
Review Questions 435 ^ 
Exercises 436 ^) 

C ha pter 1 5 Key Man&gem enl 43 7 

15.1 SYMMETRIC-KEY DISTRIBUTION 438 
Key- Distribution Cenle c K \)C A 3S 
Session fceys -139 

15.2 KERB EROS 443 
Server* 444 
Operation 445 
Using Different Serve,™ 445 
Kerberos Version 5 447 
Realms 447 



CONTENTS 



153 S YMMFTRit:- KEY AGREEMENT 447 
Dif fie4 lelffnaEiKty Agpeemenr 447 
S tat ion Lo-SiMAifCey Agreement 45 \ 

1 5 4 PU B I , [C- RESIST!* IBU Tl ON 453 
Public Announce - 

Controlled Trusted CVfnf&r 4.14 



Public- Key Infras miccures^W J) 4SS 
J 5.5 RECOMMENDED REAfJBVC 461 
Books 461 X 
WebSite 461 v^S 

t&6 KEY TERMS AND CONCE^ 4A2 
15.7 SUMMARY 4£2 \ ' 

ISM PRACTICE SET 463 ^ w 

Review Questions 4*S3 V \ ^ 

Exercises 463 

Part 4 ^t^^^^^ ^ 

Chapter 16 Security at the Applkat&hLayer: 

PGP and S/MIME 46T* 

162 PGP 470 O 



16.1 E-MAIL 167 

H-EJiail Archilcctme 467 
E-mail Security 469 



Kxinrcting Intbrmaiioti from Rings 4g2 O 



Scenarios 470 
Key Rings 472 
PGP Certificates 475 
Key Revocation 432 



PGPf^cls 4H4 
PGP Messages 490 
AppJ icarions of PGP 492 
16 J SflVUME 492 
MIME 4^2 
S/MIME 498 

AppEirati ojis of S/M I ME 502 

16.4 RECOMMENDED READING 502 

Books 502 
WebSites 5(IJ 

16.5 KEY TERMS 502 

16-6 SUMMARY 503 

16.7 EXERCISES 503 

N evicw QuesUon s 503 
Excises 5fM 



CONTENTS 



i C ha pte r 1 7 Secu rity at the Transport Layer: SSL and Tf.S 50? 



: 



•I 7.1 SSL ARCHITECTURE: 508 
\§\ Services 508 

Key Exchange Algorithms 509 
^^ncjyption/Etecrypiion Algorisms 5 1 1 
S^lj^h Aigori thins 5 1 2 
v ^bei Suite 512 
expression Algorithms 5 ] 3 
Cry otoeraphsc Par ameier Generation 5 1 3 
SessWKs^Tid Connections 515 

17.2 BDuf^OTTOCOI^ 517 
HandshdS^'rotocrtJ .5 ] 8 
tliangcCipH^ppec Protocol 525 
Alert Prolodfl p/52ti 
Record Pro[oodl\526 

17.3 SSL M1LSS AG^TORM ATS 52<) 
ChangeCip3icrSpccAthtrtcc.il 5 3 (J 
Ajert Proiocof 53fax^ 
Handshake Protocol ^ 5>0 
Application Data 53"^'* 

17.4 TRANSPORT LAY ER^SECU RITY 53& 
Yen ton 539 (V) 
Ciphei S nil it 539 

Generation of Crypsographie £erafe 539 
Akrl Protocol 542 \J 
Handshake Protocol 543 
Record Protocol. 543 - 
1 7 r 5 RECOM MENDED RE AD fN G 
Books 545 

WebSites 545 ^ 

17.6 KEY TLRMS 545 ^\ 

17.7 SUMMARY 545 f-N 
17-8 PRACTICE SET 54{j 

Review Queslions- 546 \ 
Exercises 546 • 

o 

C h apte r 1 8 Security at the Network [.aye^T^Sec 549 

l&l TWO MODUS 550 

Comparison 552 
1 8.2 TWO SECURITY PROTOCOLS 552 

Atifhcnricatinii iitadcr (AH) 552 

fencupsulating Security Payload (ESP) 554 

IPv4 and IPv6 555 

AH versus ESP 555 

Services Provided by IPSec 555 
183 SECURITY ASSOCIATION 557 

Idea of Sfcscy ril v Association 5 57 

Security Associat i g n Database ($ A D J 55 K 



HYiii comt.\rs 



T 




18/1 SECURITY POUCY 560 t- 

TNTERNhWrY EXCHANGE (IKE) _S63 
frn pro vc J Di ffOtel Irnan Kdy Exchange 563 

Phases LintL Mlk!c1£x^6 
Phase h Main MixlsTttl 
Phase 1; Aggressive - 573 
Phase II: Quick Moul- 
£A AkronTh™ 577 
38,6 ISAKMP 37g . 
General Httfdcr 57£ 
Faylt^ds 579 v^) 

S jfcl RECOMMEN DED READllW T\ 5 g£ 

WebSites 5KK C 
IS. 8 KEY TERMS 5m 
iM SUMMARY 589 
tS-30 PRACTICE SET 589 (\ 

Review Qaesiiorik 5^ s\ 

Exercise* 5W x 

Appendix A A SOt 59 J 



A ppend i X B Standards and Standard nidations 595 



B.I INTERNET STANDARDS 595 ^ 
MaftinLy Levels 595 \J 
Requirement Levels; 597 

Internes Administrate! i 597 * C\ 

B2 OTHER STANDARD ORGANIZATIONS 5^9 ' 
NLST 599 

ISO 599 O 

ITU T $m 

ANNE 600 ^ 
EBEE 600 . • 

PiA 600 



v6 



Ap pe nd i x C rCfV/P ptetocol Suite 60 1 

C . I LAYERS IN TH E TCP/ 1 P 602 
App] teat ion Layer ti02 
Tninspoil Ljyer 602 
Nulwurk Layer 603 
DaLa Link I .,iyer 604 
Physical Layer 604 

C.2 ADDRESSING 604 
Spcei f\ c Address 604 
Part Address 604 
Logical Addies?, 605 
Phvsiea] Address 605 



CONTENTS 

% Appendix D Elementary Probability 607 

D1J^ vINTRODUCI'ION 607 
v^Defi nations 607 

pPpbsbUsiy A^ignrrtenl 603 
609 

l^e^fLies 609 
Cur^jjuonal Prohability 609 

D,2 R A r^)M V A It [ A BLES 610 
£ \mi i mjpte Random Variables 6 8 0 
Discrctc^R^cjpm Variables 6 1 0 

Appendfe^E Birthday Problems 611 

E_1 FOUR PRO&SjjMS 61 1 
Fir^t Problem ((fr 
Second Problem 
Third Problem 612^ 
Fourth Problem ft E ^ y 

L2 SUMMARY ft 34 V v 

(* 

Appendix F InfvrmdfSfrn Theory 615 

FA MEASURING INFORMATION fi!5 
E2 ENTROPY ftlft \) 

Max J m U [] i F.n Ln >py f\ I ib 

Minimum Entropy 6T7 ^ 

1 nterp] et^s km o T Entropy 1 7 

Joint Entropy 6 17 V>^ 

Conditional Ivntrop^ 6" 1 7 

« >;i:u R-.s^ii.-.v. f.-K 

Perfcci Secrecy 6 ] B r~\ 
F.3 ENTROPY OF A LANGUAGE 6 1 9 C) 
HndTipu of an ArbiEniy l^n^uagc 6! 9 
Entropy of the: ftnglish Language h]9 
Hcdunclitncy f?19 ^-v 
Umtirv Distance £i2U V * 

Appendix G fjjf of Irreducible and Frimiih^hilynomiah 621 



A ppend i X H Prunes 7 / 0. fMO 62 j 

Appendix I fVdW Factors cf Integers Usx Than 1000 627 

Appendix J LL\t vf I-hst Primitive Roots for 

Primes Less Tftnn 1000 631 

A p p e n dix K Random Numhe r Generate r 633 



K 1 



FRNG 633 



CONTENTS ^ 



K 2 PRNG S34 

GfS^ystens^^cd Generators 636 

Appendix L^srf^fcje^v 6J9 

I I COMPLEXITY ofo^ ALGGR IT HM 639 
B it Operation CoinpIcViLv-v ri34 

L.2 COMPLtXTTY OF aQwJBI.EM 643 
Two Broad Czucgorka 64^ 

L.J PROBABLLLSTICALGO^a¥hTMS 644 
Monte Carln Algorithms 644^^ 
[ ^ Vegas Al gori CJi n is 644 r 

Ap pe n d ix Hi ZIP 645 

mi LZ77 ENCODING 645 
Compression 646 

Decompression 647 

Appendix H Differential and Lm^ar fa&prarwlys is of DBS 65 ! 

Nl DIFFERENTIAL CRYPTANALYS1S 651 # 
Probabilistic Relations fi5J 

Altaek. 65 S *0 
Finding the Cipher K£y 654 
■Security 654 

N.2 LINEAR CRYPT ANALYSIS 655 
LbitMrity Relations 655 

Attack 658 \$ 
Security 65 3 

Appendix O Simplified DES (S-DBS) 659 ^\ 

0.1 S-DES STRUCTURE 659 

Initial and Final PcrmuLations ^60 

Rounds 660 \. * 

Key Cnmeraiicm 663 O 
0.2 CIPHER AND REVERSE CIPHER 664 

Appendix P Simplified AES f&^j 567 

P. I S- A ES STR UCTIIRE 667 
Rounds 66? 
Data Units 668 
Structim of Each Rnund 670 

TRANSFORMATIONS 67 1 
Sub&tirution 671 

Pemui Latum 672 



o 



67 x CONTENTS 

Mixing 673 

* ~ Key Adding 674 

P..V >KI2Y EXPANSION 675 

* v ^)Creaibn of Wonds in 5-AES 675 
P.4 (^HIERS 677 




Qdi)C Q Some Proofs 679 

Q.I t:iIA^)ER2 679 
]^]vifiib^rtc 679 

hut tid^AH^J^pnthms 580 
Congruen^^ 68] 

Q.2 CHAPTER^ ftg2 
Primes 6S2 

En let's E^ii-Funttkj^ 683 
Fenmt r s Little "] 1 Wrr rrj, OH J 
filler's Theorem 

fundamental Thfturcnr^ Arithmetic 685 
Glossary 687 
References 707 

v 



o 




The Interne^^ga worldwide communication network, has changed oar dally life in 
many ways. A n*a* paradigm of commerce alEciws individuals to shop online The 
World Wm Web #W) allows people to share Information. The ^maS] technology 
connect people m facing corners of me world. This inevitable evolution has also cre- 
ated dependency on tbc^PnlefncL 

_ The Internet, as an forum, has crated some security problems. Confidential- 
ity, integrity, and authentication are needed. People need to be sure that their Internet 
communication is kept cofeUtial. When they shop online, they need to he sure thai 
the vendors arc amende. Wr£n they send their transactions request to their banks, they 
want to be certain that the inte^jS^ of [he menage is preserved. 

Network security Is a set of protocols that allow us to use the Internet comfortably— 
without worrying about security ati^s. r I ne most common tool for providing network 
security is cryptography, an old tcehlriW that has been revived and adapted to network 
security. This book first introduces meXreadcr to the principles of cryptography and then 
applies those principles to describe nctvio* security protocols. 



tires of the Book 

Several features of this text are designed torn^ke it particularly easy for readers to 
understand cryptography and network security. ^ 

ructure 



Tins text uses an incremental approach to teaching cryQr^hy and network security 
h assumes no particular mathematical knowledge, suchQ number theory or abstract 
algebra. However, because cryptography and network se^tty cannot be discussed 
without some background in these areas of mathematics. these topics are discussed in 
Chapters % 4 t and 9, Readers who arc familiar with these areas of mathematics can 
ignore these chapters. Chapters 3 through 15 discuss cryptography. Chapters 16 
through 18 discuss network security. 



icdv PREFACE A 

Visual Approach 

This text prcftenl^fcghly technical subject mailers without complex formula^ by using a 
balance of Beat smtl^mures. More than 400 figures accompanying the text provide a visual 
and inaiidveoppoTtiM^ for understanding die materiEds, Figures are particularly important 
in explaining ditficu I typographic concepts and complex network security protocol. 1 *. 

Algorithms - 

Algorithms play an impcrtSl role in teaching cryptography. To make the presentation - 
independent from any cofimiter language, the algorithms have been given in 
pseudocode thai ear be casily\nA5grarnmed in a modem language, At the website for 
this text, thc eorrcsponding prog^aAjs ate available for download 

Highlighted Points 

Important concepts are emphasized irrbi^tfightcd boxe^ for quick reference and imme- 
Examplcs <^> 

Each chapter presents a large number of IhaJL apply concept discussed in the 

chapter. Some examples merely show the imi^|3iate use of concepts and formulae; 
some show the actual input/output relationships of ciphers; others give extra informa- 
tion to better under s^md some difficult ideas. ^£ 

Recommended Reading \ 

At the end of each chapter, the reader will find a list of r^s^s for further reading. 

Key Terms \$\ 

Key terms appear in bo Id in the chapter text h and a list of keytf^is appear at the end of 
each chapter. All key terms are also defined, in the glossary at th^etod of the book. 

Summary 

hath chapter ends with a summary of the materia] covered in that ehsmter. The sum - 
mary provides a brief overview of all the unportant points in the chapteY^- 



diate attention. \ 



Practice Set 



Sis 



At the end of each chapter the students will find a practice set designed to reinforce and 
apply salient concepts. The practice set consists of two parts: review questions and 
exercises. The review questions are in tended to test" the reader's first-levd understand- 
ing of the material presented in J he chapter The exercises require deeper understanding 
of the material. 



Appendices 

The appendices provide quick reference material or a review of materials needed to 
understand the concepts discussed in the book. Some discussions of mathematical topics 




The Intcniel^'asj worldwide communication network, has changed our daily life in 
many ways. A hph paradigm of commerce allows individuals lu shop online The 
Wurld Wide Web (ftjWJ allows people to share information. The E-inail technology 
connect people in facing comers oi"(he world. This inevitable evolution has also ere 
aled dependency on tng^rfljennet. 

The InLemct, as aif opsp forum, has created some security problems. Confidential- 
ity, integrity, and authentication are needed. Pfcoplc need to be sure that their Internet 
communication is kept coftj&niial. When they shop online, they need to be sure that 
the vendors are authentic. W%r they send their transactions request to their banks, they 
want lo be certain thai the intc^j^ of the message is preserved. 

Network security is a set of protocols That allow us Co use the Internet comfortably— 
without worrying about security aitaefc;. The most common tool for providing network 
security is cryptography, an old tecnniWthat has been revived and adapted to network 
security. This book first introduces threader to the principles of cryptography and then 
applies those principles to describe nct\J©k security protocols 

Features of the Book \$ 

Several features of this le*i are deigned to^kc it particularly easy for readers to 
understand cryptography and network security vJ 

Structure 

• 

"I h[.s text uses an incremental approach io teaching er^tsbgraphy and network security. 
It assumes no particular mathematical knowledge, sucl(3) number theory or abstract 
algebra. However, because cryptography and network s^irity cannot be discussed 
without some background in these areas of mathematics, Ikeie topics are discussed in 
Chapters % 4 3 and 9. Readers who are familiar with these areas of mathematics can 
ignore these chapters. Chapters I through {$ discuss cryptography. Chapters 16 
through 18 discuss network security. 



JOCiU 



■ 



■ 



a familiar watJi these materials. 



are also presented in the appendices to avoid disiracLing those readers who are already 



taut Pn^ 

MaEhSJkktjpal facts are mentioned in the chapters without proofs to emphasize the results. 
* of applying the f$gt$ A For those interested reader the proofs are given in Appendix Q, 

Hon Ulossnry aBriyVcranyuLS 

1 At the end of^tA} text, the reader wil] find an extensive glossary and a list of acronyms. 

Contents v^) 

After the introduuio^^hapter 1, the hook Is divided into lour parts: 

me- 

Part On*: t>ynimeinc-^f EDclpheruicut 

Part One introduces the sy{fu^erric-key cryptography both traditional and modem. The 

chapters in this part emphatic the use of symmetric-key cryptography in providing 

^e secrecy. Part One includes Cnap%£rs 2 through 8, 

he: \ 

ma ' . Part Two: Asyrninetrie-Key Hi^G^her merit 

Part Two discusses asymmetric- ke$ ej^ptography. The chapters in this part show how 
asymmetric- key cryptography can prcfew^ecurity. PattTVo includes Chapters 9 and 10. 

Part Three: Integrity, Authentication* ^B)i Key Management 

Part Three shows how cryptographic bas!^i(^fi] notions can provide other security ser- 
vices, such as message integrity and authentication. The chapters in Eh is part also show 
* ^ how asymmetric- key and symmetric -key crrotk^raphy can complement each other. 

Pari Three includes Chapters 1 1 through 15- 

l*&rt Four^ Network Security 

im " Part Four shows how the cryptography discussed in PSrt One through Three can he used 

to create network security protocols at three levels of Internet networking model. 
Part Four includes Ghapten 16 to J 3. O 

md How to Use this Book 

and 

nd- This hook if; writ km for both an academic and a professional audience. Interested pro- 

ling icSfdonats -_:m itsr ii for self-^uidiuiLX- siudy As a scubook, it can he usluI lor ,i one- 

Semester or one-quarter course, The following are some guidelines. 

□ Parts one to three are strongly recommended. 

Q Part four Is recommended if the course needs to move fjeyond cryptography and 

1 to enter the domain of network security, A course in networking is a prerequisite for 

3ics Part four,. 



Online Learning Center 

The McGiuw-HilJ&Une Leading Center con tains much additional material related to 
Cryptography andfylwork Security. Readers can access the site at www.mhhc com/ 
foreman. Professors ^students can access lecture materials, such as Power Point 
slides. The solutions tuv^-numbered problems are provided to students and profes- 
sors can use ei password tWcss the complete set of solutions. Additionally. McGmw- 
HilL makes it caiy [o create ^website for the course with an exclusive McGraw-Hill 
produer called PageOul. It re^Mjres no prior knowledge of hTVML, no Ion- hours and 
no design skills on your part, jf^ead, PageOut offers a series of templates. Simply nil 
Litem with your course informal^ and click on one of 16 designs. The process takes 
under an hour and leaves yon withr^professionally designed website. Although Page- 
Oui offers "mstant" development, t&Anished website provides powerful features An 



interactive uourse syllabus allows you^o^ost content lo coincide with your !ect 
when students visit your PaguOnt wclfeite your syikbus will direct then, to c 

Acknowledgments \> 



ures, so 



pUplf Vi ° Ui th: " deVe,0pn,ent ° f 11 hnok scope needs the support of many 

Peer Review 

The most important contribution to the development of a\pook such as this comes from 
peer renews. 1 cannot express my gratitude in words to th^anv reviewers who spent 
numerous hours reading the manuscript and providing mfVuh helpful comments 
and ideas. I would especially like to acknowledge the contfCtions of die following 
rev sewn;: ' fc 

Kauf i nan, Robert, University a/ Texas, San A ntonio ^"0 
Keaidis* George, Penn State Q 
Stephens, Broofc, K f>f Maryland, Baltimore County 
Koc, Cecin T Oregon Slate University 

Uminawiez, Bill, Wejitwood College * ^ 

Wang, Xunhua, tones Madisan University v. * 

Kak, Subhgsh, Louisiamz State 11 ~ O 

Dunigan, Tom, U. o/Temiessee, Km&vitte ^ 

McGraw-Hill St a ff 

Special thank* go to the stall of M^aw-Hill. Alan Apt, publisher, proved how a pra fi- 
cent publisher can make Lbe impossible possible. Melinda Bileeki, |fe developmental 
m ™ m vtem*! 1 needed it. Sheila Frank, project manager, guided It* 
through the produclion process with enormous enthusiasm. I a^o thank David Hash 
ut design, Kara Kudrnnowicz in production, and Wendy Nelson, !bc copy editor 



Bchrouz A. Forouzan 



CHAPTE1T 1 




Objectives ^ 

'111 is chapter has sacral objectives: 

-I To define three )Seo*riiy goals 

□ To define secuniySaiaicks that threaten security goals 

□ To del me security ser^d^ and how they arv related in i ho three security 
goals 



J 

□ 



To define security mechanisms to provide security services 

To introduce two techniq^, cryptography and steganography, to 
imp lenient security mecha^pihs. 

We arc living in the information i©. We need to keep in Formation abouL 
every aspect of our lives. In other ^{pkis, information is an asset that has 
a value like any other asset As an as^ information needs to be secured 
from attacks. 

To be secured, information needs t{T) lLh hidden from unauthorized 
access (confidentiality), protected from ui^&rhorized change (integrity). 
and available to an authorized entity when i^is needed {availability). 

Until a few decades ago, the information ejected by an organization 
was stored on physical files. The confidentiality^ the files was achieved 
by restricting the access to a few audio rized and tre&ed people in the orga- 
nization. In the same way, only a few authorized j5eop]e were allowed to 
change the contents of the files. Availability was achieved by designating 
at least one person who would have access to the files at all times. 

With the advent of computers, information storage became electronic. 
Instead of being stored on physical meditL, it was stored in computers. The 
three security requirements, however, did not change. The tiles stored in 



CHAPTER I INTRO 



'ION 




computer* inquire confidentiality, integrity, and availability. The implemen- 
tation of these requirements, however, is different and more challenging 
During iheT^tftwo decades, computer networks created a revolution in 



the use of riifomtfcion. Information is now distributed. Authorized people 
can send and rctrfljsj information from a distance using computer net- 
works. Although thetW above-mentioned requirements— confidentiality, 
integrity, and aviiihbHjfe. have ntit changed, they now have some new 
dimensions. Not only snOUi information he confidential when it is stored 
in a computer; there shoikhLjso be a way to maintain its con li dent iality 
when it is Iran sin i lied from^net 'oinputer in annthcr. 

In this chapter, we fmt aQjiss the three major goals of information 
seeuniy. We then see how aiUiUU ;in threaten these three gn;ik We then 
discuss the security services in rWafion to these security goals, finally we 
define nn-..-l:unism« to provide set^frky services and introduce techniques 
that can be used to implement these mechanisms, 

V 



1.1 SECURITY GOALS 



Lxi us tirst discuss three security ^mls: confide jfiLiipt 
(Figure U). 

— ^ 

E- i j. 1 , Li i v I . I Taxonomy of iccwiry &aaU 



>h int^iily, .ind uviuiabiiit > 



r 



ConfidcfiEiiJicv 




o 



AvuilithiJjlj 



Confidentiality 



o 



Conndetitialily is probably fee most common aspect of infonnaiion security^ deed 
to protect our confidential information. An organization needs u guard against uW 
malicious actions that endanger the confidentiality of its informanoi]. In [he military 
concealment of sensitive information is the major concern. In industry, hiding some 
mtormarjon from competitors is crucial to the operation of the organization. In hank- 
ing, uusiomeis" acccmiiis need to be kepi ■rucrct. 

As we will see later in [his chapter, confidentiality not only applies to the storage 
of the .tuormalKH,, u also applies tu the transmission of information. When wc send a 
piece of information to be stored in a remote computer ox when wc retrieve a piece of 
information from a remote computer, we need to conceal n during transmission 



SECTION L2 ATTACKS 3 

integrity 

liit* raaiioji needs to be changed constantly, fa a bank, when a customer deposits or with- 
drnwVmaney* the balance of htrr account needs to be changed. Integrity means that 
c ruinge^iecd to be done only by authorized entities and through authorized mechanisms, 
InlegrityC^^tinn is not necessarily the result of a malicious act; an interruption in die 
system, stivf^v a power surge, may also crate unwanted changes in some information. 

Avaiiabilit^^ 

Tlx; thud compo^ciy of informauon scoiri!'. is a>nJlahl!iu. The information l rcaled and 
slorcd by an osfrffupwi needs to be available co authorized entities. Information is un- 
less if it is noi avaXibk Information needs to be constantly changed, which memi it 
roust be accessible Uvsriithoriied entities. Thr unavailability of infortrialiun is just m 
harmful for an orgaiuzati^ ias the lack of confident iality n r integrity Imagine whaf woukl 
happen to a bank if llw vu^nifi^ coutd not access their account* lur transaction^ 

* 



1.2 ATTACKS 



Our three goals of security-^iun Quality, integrity, and availability— can be thrcuicued 
by security attacks Although the ht^ture uses different approaches to categorizing the 
attacks, we will fim divide them into three groups related id the security goals Later, wc 
will divide them laro two brood caiegi^icWased on their effects on the system. Figure 1 .2 
shows the first taxonomy. \ Jf^^ 



Figure 1-2 Tawnpmy ofanacks wih rrlmton C^eeuhty gixik 




L-oniliimtiality 



Attacks ThnatcQin B Confidentiality 

Tn general two types of attacks threaten the confident! ality of information: snooping 
and iraffir analysis, 



chapter / iNrmm.^cnoN 



4* 

Snooping 

Snooping ref^tpio unauthorized access to or interception of dam, For example, a file 
transferred dtrou^tf the Internet may contain confidential information. An unauthorized 
entity may intcrLtf^he transmission and use the contents for her own benefit. To prevent 
snooping ihc daLdS^an>c made nonintelligible to the inlcrccpter by using encipherment 
techniques discussciQi! this book. 

Tmffk Analysis ^ 

Allhomjch cnciphcrmcnt o^dkia miy make it non intelligible for the intercepted she con 
obi Eii n some other lype inttffrnjpion by monuonng online traffic. For example, she can 
find the electronic address CsXch^s the e-mail address) of ihc sender or the receiver. She 
can collect pairs of requests an^Asponscs lo help her guess the nature of transaction, 

Attacks Threntcning IntegKt^ 

The integrity of data can be thre^ten^T^ several kinds ui attacks: modilkiition H ma*- 
qui racMn^. replaying, and repudlntioO 

Modijiamtm \* 

After intercepting or accessing informafioiiYttijr backer modiites the in format ton to 
make it Ixmelicial lo herself. For example, a customer sends a message to a bank to do 
some transaction. The attacker intercepts the a rcv^e and changes the lypc of transac- 
tion to benetil herself. Note that sometimes the attacker simply delates or delays ihe 
message to harm (he sysiem or to benefit fn>in ii_ \^ 

Masquerading 

Masquerading or spoofing, happens when the attacker infljersonates somebody else. 
For example, an attacker might .steal the bank card and PLVofta bank customer and pre- 
tend lhat she is that customer. Sometimes the attacker pmends instead to be the 
receiver entity. For example* a user tries to contact a bank, hut Wj^cf site pietends that 
it is i he bank and obtains some information from the user. 



7' 



Replaying 

Replaying ss another atiark. The attacker obtains a copy of a message sprt by a user and 
latea" tries to replay it For example p a person sends a request to her banH^ask for pay - 
ment to (tie attacker; who has done a job for her. The anackcr inicrcepi^Wie message 
and sends it again to receive another payment from the bank. 

Repudiation 

This type of attack is different from others because it is performed by one of ibe two 
parties in die communication: the sender or the receiver. The sender of the message 
mat; hi later deny that she has sent the message; the receiver of the message might later 
deny that he has received the message 

An example of denial by the sender would be a bank customer asking her bank to 
send some money to a third party hut later denying that she has made such a request. An 



SECTION 1.2 ATTACKS 



% 

^£jj*ample of denial by the receiver coutd occur when a person buys a product fro 
manufacturer and pays for it electronically, but the manufacturer later denies having 
reeved the payment and asks In be paid. 



m a 




;s Th rea teninfi Avn i III 1 j i I i t_v 

We mo*nji^ri only one attack threatening availability: denial of service. 

see 

IX-rn-il uf sc(^* (DoS) is a very common attack. It may slow down or totally interrupt 
She service oftf^stem. The attacker can use .several strategics to achieve this. She might 
■.end so many hroifcrrequcsto U> a server that ihe server crashes because of the heavy toad. 
The attacker migh^fterccpi ami drldc a server's response to a client, making the clianl in 
believe that the wtrti^ not respondmy Hie attacker may also intercept requests from 
the client*, causing tW^nts to send request* many times and overload tlic ayaicm. 

Passive Versus ActiVf; kttacks 

Let u$ now cufeforira the Miapta into two groups: passive and active. Tfcble LI shows 
the relationship between Ihis^i&ihc previous caicgonzaiton. 

Tubl e L I Gattjt pjTzof Jan of pasJiy^amt <n uve attacks 



Attacks 

— 






Snooping 
Trmrnc m^tym 




Confidentiality 


MixJiiiLWinH 
Musqi if fading 
Replaying 

Repudiation 




Active x 

%r 


Inte^nty 


Denial of service 


Active X\J 


Availability 



Pasriw Attacks S\ 

In a passive attack, the attacker's goal is just to obfcdrMnformaiion. This means that the 
attack does not modify data or harm the system. The sy^tejn continues with its norma] 
operation. However, the attack may harm the sender or tte receiver of the message. 
Attacks that threaten confidentiality — snooping and trapft analysis — are passive 
attacks. The revealing of the information may harm the sendp or receiver of the mes- 
sage, but the system is not affected. For this reason, it is difficult to detect this type of 
attack until the sender or receiver finds om about the leaking of confidential informa- 
tion. Passive attacks, however, can be prevented by endphcrrnent of the data. 

Active Attacks 

An active attack may change the data or harm the system, Attacks that threaten the 
integrity and availability are active attacks. Active attacks arc normally easier to detect 
than to prevent, because an attacker can launch them in a variety of ways. 



4* 



4* 



1.3 SERVICES AND MECHANISM 

The I nt lirnafionif^yecommuw cation tinion-Tdecommunlcstion Standardization 
Swtor {ITU-T) (scH^poendix B) provides some secunty services and some mechanism-; 
: ' i in piemen l those sc^We^ Security services and mechanisms arc closely related because □ 
mechanism or combiiuiitfjpof mechanisms are used to provide a service. Also, a mechanism 
can be used in one or moron ic** W c briefly discuss ihcm here to give the general idea 
*c will discuss than in defauU^ later chapters devoted to sp«iric services or nwchanisms 

•o 

1 1 U- 1 I X.KfXJl has defined five ^rfyiccs related to the security goals and attacks we 
■ li-niic-d iii ihc previous sections. Pifore 13 shows the taxonomy of thci^ live common 

^ 



Secuniv Services 



services. 



P i n a j i 1 . 3 Security .tervicts 



SOCUElLV 




Dita 



Ita j 
rrily I 



ft 



Authenticate-in 



*— Anci-rqi.sy 



I 



Y? — 

— Peer ttui cy o( urj^n 

D*U raigjjn ■— l^f of ik 1 1 vers 

— 



coitrrii] 



Jt ts easy to relate one or more of these services to one ur*nioie of the sec tin ty 
goals. It is also easy to see that these services have been desi gnostic prevent the secu 
rity at lacks that wc have mentioned. \J 

Ctmfideniia&iy 

con fid tnliaJity is designed to proteci data from disclosure attack, ([tie service as 
defined by X,S0O is very broad and encompasses confidentiality of the whlto menage 
Or part of a message and also rFrnirr:rirm aMmsttraffi,^ :* si^£k-^^^^ 



part ot a message and also protecLiott against traffic analysis, That is, it is 
prevent snooping and traffic analysis attack. 

Dftia Integrity 

Data integrity is designed <o prowci data from modification, insertion, deletion, and 

replaying by an adversary. It may protect the whole message or part of the message. 

Auihentirativrt 

This service provides the authentication of the party at the other end of the line In 
conncctmrwjnrnied communication, it provides authentication of the sender or receiver 



SECTION}. 3 SERVICES AND MECHANISM 7 



-^jpring the connection establishment (peer entity authentication). In connectionless 
giumcal.cn, it authenticates the source of the data (date origin authentication). 



corn- 




n t .b. */!?r Se ™ L ! mmSt fr P udi3tion ■* either the sender or the receiver 

2 K '^y^uon with proof of the oofin. the receiver of the data can later 
prove thev^jucy of the sender if demed tn nonrepndiahon with proof of delivery, the 
sender of dV^can later prove th;,i data were delivered to the .ntended reeiprcnt. 

Access conlml pftMMtkm ag^nst unauthorized access L « data. The term 

is definKT^i if ray broad ml can mvy| Ve reading, writing, modifying, 
rarm, andtsCVin 



access in rh 

programs 



rity Median isniS^ 

!IrviLl X dSt ™° & ™ *« uri * ,o provide the sccur, 

trv c« dcl.ned m the prevJ^ ccll on, F i gt]r(; L4 jvcs (ht . 

mechanisms, ^ N 1 

<S> 

H gti n? 1-4 S*eunty mechanism* 




I^iaphcnnenf 



j 



Traffic pa Atin ^ I 



Notarization 



3 



control 



j 



Encipfott-mcrtt 



Encpherment. h.dmg ,, r covering data, can prov.dc confidentiality. It ran also be used 
to complement other mechanisms to prov.dc other services Today two techniques— 
Orography and stegmiogniph^nrc used for enciphering. We wiU discuss these shortly 



chapter 3 rmi^^cnoN 



Doia Intvffftiy 

I lie data integrity mechanism appends to the data a short chcekvaluc that has been 
unrated by a srerijft: process from the data itself. The receiver receives the data and the 
check value. He creates a new check value from the received data and compares the 
newly created chc^fcWije with the one received, {f the two check values are the same, 
the integrity of dalaHIa) been preserved. 

v 

Digital Signature (S^ 

A digital signature is a me1n)s by which the sender can electronically sign the dm.i ami 
I tie receiver can clee I romeaU> 'verify ihe signature. The lender uses a process that 
involves showing that she owpi^a private key related lo the public key that she has 
.miiipunced publicly The rcceivar uses [he sender's public key lo prove lhal the message 
is indeed signed by the sender wfu) cjaims to h;o c senl the message. 

A utkfttikatwn Hxchange * 

In nuthenlicalton exchange, two entiti^s\ xchanc,e some messages to prove their iden 



tity to each other For example, ime entiltfj^an prove that she knows a secret l hat only 
she is supposed to know. \ 

i rztSk Padding & 

'IValtic padding means inserting some bogus # da]^ mm thi- dum [raftic 10 thwart the 
adversary's ullcuipl to use [he traffic analysis. \y 

Hunting Control Q 

kouttn^ control means selecting and continuously eh^^pg different available routed 
between the sender and the receiver to prevent the oppo^ejty from eavesdropping on a 
particular roulfi. 

Notariifiiwn 

Notarization means selecting a third trusted party to control the communication 
between two entities. This can be done, for example, to prevent repudiation. The 
receiver can involve a [rusted party to store the sender request in dt^J^r to prevent the 
sender from later deriving that she has made such a request. Q 

Access control uses methods to prove that a user has access right to the data or 
resources owned by a system. Examples of proofs are passwords and PFNs. 



Relation between Sri-vices and MechanisTns 

Tabic I Jl shows the relationship between the security services and the security mecha- 
nisms. The table shows that three mechanisms (enciphermcnl, digital signature, and 
authentication exchange) can be used to provide authentic anon. The tahlc also shows 



SECTION 1.4 TECHNIQUES 





Stcwtly MrtJvw urn 


\ik "Clw i~ i»~L 1 1 H 1 ■ li'i n r i -*i 1 ■A^ri 

■t '.v \ tcrrtii uu, n [ 1 3 1 [ . -1 


f:ncipha~mcnl and muting conlm] 


Datrf^itcgnty 


EncipbcTTDcnl, digits signature, data integrity 


Atiihi^pltaciDn 


Entipbermens, chgiiaJ signature, .iLntamcanon CKchangus 




Digital signacmc, data integrity, and rwlariialiun 




Access control mechanism 



tha( ciiciphcmv'frj mechanism may be involved in three services (data confidentiality, 
data integrity, an^puthcnlicttlion) 

*3 

14 TECHNIQUES 

MwhaniKimdisctis^d i\tta, previous *ections are only theoretical recipes to imple- 
ment security. The actual in^mcniauon of security g^als needs some techniques lwo 
techniques are prevalent iodaj^one Is very general (cryptography) and one is spec ilk 
(tfeganography}, \" 

Crypto^ Lphy ^ 

Some security mechanisms lasted in i?k^ln uhis section can be implemented using cryp- 
tography. Cryptography; a word wilhvGfc*^ origins, means ^secrejjvriNiK" However, 
we use the term id Tefer to llie science i^yJj art of transfornitng messages to make them 
secure and immune So attack*. Although i(Tj)he pail cryptography referred only ui (he 
encryption and decryption of linages u*h(pecret key s, today it is defined as involv- 
ing three distinct mechanisms. symrneuiL ^^b^^Lphermcni, asymmelrii :-kt -v mciphcr- 
tiienL and hashing. We will hriefly discuss meseihm: mechanisms here 

Symmetric-Key Enciphermrnt Q 

In sytnjnetric-be> enriphermenl (soineiunes called ^Stst-key enciphcrment or secret- 
key cryptography), an entity, say Alice, can send a message to another entity, say Bob, over 
an insecure channel with the assumption thai an adversary. £3v Eve. cannot understand the 
contents of the message by simply eavesdropping over tKe>ehanneL Alice encrypts the 
message using an encryption algorithm; Bob decrypts the Wasage using a decryption 
algorithm. $}7TBTBuic-key cadp^ennent uses a single secret tefyXor both encryption and 
decryption. EiK^pcion/doaypuon caii be thought of as electronic locking. In symmetric- 
key enciphering, Alice puis ihc message m a box and locks the box using the shared secret 
key; Bob unlocks the box with the same key and takes out the message 

Asymmetric-Key Enciphcrment 

In 8symmetric-key encipherment (sometimes called public-key encipliermcnt or 
public-key cryptography), we have the same situ at son as the symmetric -key encipher- 
men!, with a few exceptions. Farst there arc two keys instead of one: one public key 



CHAPTER I ltfrnODJiCTlDN 




and one privajgkey, lo send a secured message to Bob, Alice first entry pts ihc mes- 
sage using Bob s public key, To decrypt the message, Bob uses his own private key. 

Hushing 

In hashing, a lixcd-Tcpiglh message digest is created out of a variable- length message. 
The digest is numiallyC^icJi smaller Than the message. To be useful, both the message 
run! the digest must he stitfpo Bob. I lashing is used to provide checkvalues, which were 
discussed earlier in rclaiioEr^j providing data integrity. 

Steganography 

Ahhmigh this bonk is. based on u^ptugraphy st% a technique fnr implementing secu- 
rity mechanisms, .moihci lechntqua that was used Tor secret communication in the 
past is being revived at the prescnHirne: stcganography. The word sttcgatm^raphy,. 
wiih origin in Greek, means "cove n.^$w riling. 4 ' ill. contrast with cryptograph which 
means "secret wnnng. fcB Cryptography <jir\uvs concealing the contents of a message hy 
enciphering stcganography means conceding the message nself by covering it with 
something else. ^ 

J lisUsjy i*. I id I of facts and myths about the iiseSisiegaiKignipby. In China, war mes- 
sages were written on I Kim pieces of silk and mllAjSinto a small ball and swallowed by 
I he messenger. In Rome and Greece, messages wort curved on pieces of wood, that 
were later dipped into wax to cover ihc writing. Inviting inks (such as onion juice or 
ammonia salts) were also used to write a secret tmssapejj£&vceii the lines of the cover- 
ing message or on Lhe back of the paper, the secret message was exposed when the 
paper was heated or treated with another substance. ^ 

In recent times odier methods have been devised. So^rletiers in an innocuous 
message might be overwritten in a pencil lead lhat is visible orf^vlien cvposed iti tight 
at an angle. Null ciphers were used to hide a secret message ins^jjn innocuous simple 
menage. For example, ihc first or second letter of each word in thevovcring message 
might compose a secret message. Microdots were also used for ulrp^urpose. Secret 
messages were photographed and reduced to a size of a dot (periodVand inserted into 
simple cover messages in place of reaidar periods ai the end of seniencts 

O 

Mtfdem Use 

Today> any form of data, such as text, image, audio, or video, can be digitizetf^d it is 
possible to insert secret binary information into the data during digitization process. 
Such hidden information is not necessarily used for secrecy; it can also be used to pro- 
tect copyright, prevent tampering, or add extra information. 

Text Cover The cover of secret data can be text. There arc several ways to insert 
binary data into an innocuous text. For example, wc can use single space between 
words in represent Lbc hinary di^it U and double space to represent binary digit L The 
following short message hides the 8-bit binary representation of the letter A in ASCII 
code{01UOUOUO; 



^ SECTION i A IECIIWQU£& tl 

4*. 



4. 



This book is mostly about cryptography, not stegaimgraphv 

□ can u q om ? 



fC\ D 1 0 0 0 0 1 

vtfijhc above message there an: two spates between ihe "bmk" um| "is" and between 
TL h ^f" d """SWWUraphy". Of «rhk, sophisticated software can insert spates that 
Oilier d^y sltghUy to htde the code from immediate recognition, 

Anoi^). mere efficient method, is to use a dictionary of words ^nnized accord- 
ing to tneirdhpnmaticaJ usages We can have a dictionary containing 2 articles, R verb* 
!»a nouns, an^repositjans. Then we a^rce to use cover text that always use silences' 
with ihe piueufWrfe noun irrb.artide.noun. The secret binary data can be divi.h d 
.nin M„l chun^The t.rst hii of bmary data can be represented by an article (forexatti- 
g " r< " " an<i 1 V r ^> ]lK five biu caji be represented by a lumn (subject til Ihe 
s«.cc 1 the ncsl{$ar bits can be represented |.y a verb, die next bit hy the sccoiu 
article, and the his: <i vo^u by another mum (object) Ktr example, tlic sccrel data "I U" 
which is0l(XH(X»O1ftol^H in ASCII, could be n sentence like ihe billowing: 



I 



A triend caltrtl a i 

0 10010 0001 0 




This is a very tr .vial exampl£sThc actual approach uses more sophisticate design 
and a variety of patterns. • . 

(mage Cover Secret dita can also havered under a color image Digitized images 
arc made of pixels (picture elements), ft «*ieh normally each pixel uses 24 bits 



bytffl). Lach byte represents one of the pririWcolors (red. green, or blue J, We can there- 
fore have 2 different shades of each color. iWWlhod called LSB (least significant bit) 
lite least s.gmficam bit of each byte is set to iftjhis may make the .mage a little bit 
lighter tit some areas, but this is not normally ndjefrd. Now we can hide a binary data in 
the unage by keeping ur changing the Leasi signiftc^Njit. If our binary digit is 0 we keen 
the bit if h is 1, we change the bit to 1 , In this wa;, . -.y^ar, lude a character (eight ASCD 
bits) m three pixels. For example, the following three >ixcbt can represent the letter M 




Of course, more sophisticated approaches are used these days. 

Other Covers Other covers arc also possible. The secret message, for example 
can be covered under audio (sound and music) and video Both audio and video are 
compressed today; the secret dam can be embedded during or before the compres- 
sion. We leave the discussion of these techniques to more specialized hooks in 
slcganugraphy. 



■ 



1.5 THE REST OF THE BOOK 

The rest of this divided into four pans. 

Part One: Symnmrfc-Kcy Encipherment 




The c hapten in Part Oni/^scuss eneiphcrmem + both classic and modem, using syni 
tneinc-key ciyi.Ho£rHphyrl3«;se chapter* show how the first ^oal of security can be 
implemented using this lecnaruiue 

V . 

I*tir1 Two: Asymmetric- l-Indphennent 

The chapicr-; ml iVin fwo djscuss^iraphcjmctti using asymmetric- key cryptography. 
These chapters also show bow the THisjj^oal of the security can be implemented usin^ 
this technique. \ 

Part Three; Integrity, Aulhtnticmiap* and Key M;mugerncnt 

Hie chapters In Part Three introduce the thim^pplicatinn of cryptography — Hashing 



and show how h can be combined with ihcOitcrruiU discussed in Part I and |] for 
m i pie Mien E i iik! I he second goal of security, 



\5 




Pari Four: Network Security 

The chapters in Piut f-V>ur show- how tiic methods- 1 cuffed in the first three parts Ot the 
book can be combined to create network security using ©Internet model. 



1.6 RECOMMENDED READING v6 

I "or more details, about subjects discussed in this chapter, the follo-wj&g books and web- 
sites are good places to start The items enclosed in brackets refer "A \hc reference list at 
the end of the book. • 

O 

Books O 

Several books discuss security goals, attacks, and mechanisms. We recomrn^l [Bis 



and [S[a()6J, 

- 

WebSites 

The following websites give more information about wpics discussed in ihis chapter. 

httpy/ww w. fsql.tirgv'rfcsVrf c2&2ttJfctm] 
fa^gnre.nia.noAKTJOfXYliT^ 



X 



SECTION 1. 8 SUMMARY 13 



1-7 KHY TERMS 

ac^Sksontrol 

asytnnQi^key ei*eiphcrrnenl 

exchange 

confidenua] ity v ^ 
cryptugniphy Y** 
dam confidcfiL]itli[y v ^) 
iliiLn mlegrity 
decryption 
Jen i; J of service 
digital signature 
enciphermeni 

encryption ^ 
hushing 
inlcgrity 

Inirrnationiil T^rcomniiidication Unic^^ 
Tel ecu mmu n ication .S Enndaid tzaiion 

Sector (ITU-T) 



masquerading 
moctiticarion 
nonrcptidiation 
n-ouri nation 

pZLVHJVC UtCiltV 

private key 
puhlit key 
replaying 
repU£fi,un>M 

muting control 
secret key 

ICCUrily jELulcs 

-tcointy goals 
security mechanisms 
snooping 
stcganography 

symrijcn it>kcy entiphemienl 
traffic analysis 
traffic padding 

O 

liX 



1.8 SUMMARY 



<6 



o 



U Three general goals have been defined for securilfc confidentialitY, integrity, and 
availahjhiy. \ 

□ Two types of attacks threaten the confidentiality of im™tidn: snooping and traffic 
analysis. Four types of attacks can threaten the integfuy of information: modifica- 
tion, masquerading, replaying, and repudiation. DenialQ-service attacks threaten 
the avail ability of information. \!K 



J Some organizations involved in data 



communication and networking, such as 



ITU-T or the Internet, have defined several security services that are related to 
the security goals and security attacks. This chapter discussed five common secu- 
rity services: data confidentiality, data integrity, authentication, ronrepudiution, 
and access control 

ITU-T also recommends some mechanisms to provide security. We discussed 
eight of these mechanisms, encipbcrment, data integrity, digital signature, 
authentication exchange, traffic padding, routing control, notarization, and access 
control. 



■ 



CHAPTER i iNlItOrT&driON 




Therc are ^° techniques— cryptography and stegsjiography— thai can imple- 
ment some 3r all of the mechanisms. Cryptography or "secret writing" involves 
scrambling aWsjagc or creating a digest of [he message. Steganugraphy or 
"covered writing) means concealing the message by covering ii with some- 
thing else. 



1*9 PRACTICE^ 

Review Quesiioas y** 

1 . Define the three security goals. ^) 

2. Distinguish between passive and 4$iXe security aiiacks. Name some passive aEtackn 
Name some act t vc a( e lk k % ^ 

1 I jst and define five security services d^e\isscd in this chapter. 

4. Define eight security rikxhwittra discus^Si in this chapter, 

5. Distinguish between cryptography and slerfWrapby. 

Exercises v ^ 

fi. Winc h security servicers} arc guaranteed when u.^ing each of the following methyls 



a. Regular mail 



to send mail at the post office? * 

b. Regular mail with delivery confirmation 

c. Regular mail with delivery and recipient signature ^ 
d Certified mail V r\ 
e. Insured mail > 



O 



f. Registered mail 
7 Define the type of security attack in each Of the following cases: 

& A student breaks into a professor's office to obtain a copy of tire next day's test 

b. A student gives a check for 510 to buy a used book. Laier shl fiads ihat the 
check was cashed for Si 00. Q> 

c. A student sends hundreds of e-mails per day to another student usi^)a phony 
raium e-mail address, 

8. W h tch secu ri ty mcchanisin(s) are prov ided in each of tte following cases? 

a, A school demands student identification and a password to let students log into 
the school server. 

& A school server disconnects; a sludent if she is logged into die system for more 
than two hours. 

e. A professor refuses to send srndents their grides by e-mail unless they provide 
student identification they were preassij 











'MUM 





d. A bank requires the customer's signature for a withdrawal, 



SECTION t A PRA€7nCE5ET 15 

4 

■ Which technic (cryptography or stenography) is used in each of the following 
• cases for confidentiality? 

tjVvA siucietit nvhecs die answers to a test on a smal] piece of paper, rolls up the 
*Ppaper, and insem it in a ball-point pen, and passes the pen to another student. 
i^jWnd ,i message, a spy replaces each character m the message with a symbol 

tttifj)was agreed upon m advance as the character's fc placement. 
C< A c^pany uses special ink qn its checks to prevent forgeries. 

d. A gr^atc *tudcni uses watermarks to protect her thesis, which is posted on 
her website. 




1 0. What type Afapmity mechanism! s) are pmwjdrd when a p^m signs a form he ha* 
n l]cd out In ii>p]y for a credit cord? 




o 



o 



erment 




standing the rest of ih^lumicrs in this pan. Chapter 3 explores the traditional ciphers 
used mi the pasL Chapi^ 5, 6, and 7 explain modern block ciphers thai arc used 
tuday. Chapter 8 show* h^mKtcm block and stream ciphers cun be used to eitei 
phcr long messages. 

Chapter 2: Mathematics o(^i:r}pt(jFgjnaph> Pari ] 

Chapter 2 reviews some matheirwlieal concept* needed to understand the next 
few chapter It discusses mtegei .ufQ^ular jriihriiatife matrices, and congruence 
relations. ^> 

° 

Chapter 3: Traditional Symmetricdjley Ciphers 

Chapler 3 introduces tradiuunal syinii^c-kcV&phers. Although these ciphers are nut 
used today, they arc the foundation of modeitfQmmeirie-kcy ciphers. This chapter 
emphasizes the two categories of traditional riphe^ubstiturion ciphers and transposi- 
tion ciphers. It also introduces the concepts of stream ethers and block ciphers. 

Chapter 4: Mathematics of Cryptography: Ite^t II 

Chapter 4 is another review of mathematics needed to underbid the contents of the sub- 
sequent chapters. It reviews some algebraic stracuires. such groups, rings, : iT id finite 
fields, which are used in modern block ciphers. * 



Chapter 5: Introduction to Modem Symmetric-Key Ciphers 

Chapter 5 is an introduction to modern symmetric- key ciphers. Understanding ihc indi- 
vidual elements used in modern sjTnmctiic-key ciphers paves the way to a belter under- 
standing and analysis of modem ciphers. This chapter introduces components of block 
ciphers such as P-boxes and 5-bo*«. it also distinguishes between two classes of product 
ciphers: ieEstcl and non-FeisicI ciphers. 



i FART t S YMMblgl^ KEY ENCtPHERMFNT 

Cfaapter^JJata Encryption Staa^rd (DES) 

Chapter 6 use* the dements defined in Chaplcr 5 lo discuss and analyze oivc of the com- 
mon symmetri^ey ciphers used today, die Data Fjicryption Siandard (DES). The 
emphasis is on tytiffwES uses 16 rounds of Fcistel ciphers. 

Chapter?: Adv^^d Encryption Standard (AES) 

Chapter 7 shoves hnw s^Dr .algebraic structures discussed in Chapler 4 and scmie etc- 
me tits discussed in HtiLju^ can create a very strong cipher, ihc Advanced Enerypuon 
Standard (AES), The cmpha^ss on hou the .tliiebtaic smjeturcs discussed in Chapter 4 
achieve die AE5 security gofll£\ * 

Cfutpierg: Endphermuit ^jri^ Modern Symmetric-Key Ciphers 

Chapter R shows how modern block ^k5 stream ciphers can actually be used to encipher 
long message v. It ex plains five modcytf^pcration designed to be used with modern 
block ciphers. U also introduces two stnsaui^iphcrc used Cot reaMmic processing of data 

o 



Ma&ematics of Cryptography 

Part i ( : Modular Arithmetic, Congruence, 
and Matrices 

Objectives a 

This chapter is intcnty&to prepare the reader for ihc next few ehaptci s in 
c ry puigra ph y The e h a £uV has several obj cctives : 

□ To review integer arW^etic, concentrating on divisibility am! find- 
ing the greatest com m&ndi visor using the Euclidean algorithm 

□ To understand how the tended Euclidean algorithm can be used to 
solve linear Diophanhne equations, to solve linear congruent equa- 
tions, and to hod the multipk^auve inverses 

-I To emphasise the importancc^jLiiodular arithmetic and the 
operator, because they are c^en^ly used in cryptography 



J To emphasis and review matockapd operations on residue matri- 
ces thai are extensively used in erypWraphy 
□ To solve a set of congruent equations^! g residue matrices 
Cryptography is based on some specific area^of mathematics, including 
number theory, linear algebra, and algebraic structures. In this chapter, we 
discuss only the topics in the above areas that amnpded to understand the 
contents of the next few chapters. Readers who arVfemiliar with these top- 
ics can skip this chapter entirely or partially SimU adapter* are provided 
throughout the book when needed. Proofs of theorems and algorithms 
have been omitted, and only their applications are shown. The interested 
reader can find proofs of the theorems and algorithms in Appendix Q. 



fiwoft of theorems and algorithms discussed in this chapter enn be round 

in Appendix Q. 



CHAPTER 2 MATHE/fajlCS OF CRYPTOGRAPHY 

—4 — - 

2.1 INT© 



PER ARITHMETIC 

In in*E E er arithmt&^e use a «t and a few operations. Yob are familiar with this set 
and the comspondin^^rations. but they are reviewed here to create a background for 
modular arithmetic, Q 

Set of Integers (^\ 

The set of InteRcrs, ifcmrfctTME, i-oniai™ aJj integral numbers (with no (ruction) from 
negative irtlinity u> ptflntrW iuYjjrty (Figure 2.1). 



Fiyune 2. 1 Tke Met ujf intrsf* 




?.*{ 



III 


'-•it 






10m applied 











It i nary Operations 

In tirvntneranhv. we am* i 



— J ~* ^ irr " >"|™ scales dm output, i lirec common binary oper- 

utions dimmed lor infers ue /f^Tymd multipliuawn. Each of these 

upcraiioiis iul.es two input* (a ajxJ fc) and ensue* orVoLiiput ( c ) as shown in Figure 2 2 
Tlse Iwu inputs come from the m of integers; the outp&i^ into die set of integers. 

Noic that division does not fit in this category bcQjse, a* we will see shortly it 
produces two outputs instead of i>ne. 



1 1 |]Jlire 2 J. 77o* f frnti/y operation* for the s?j of integers 



-Q- 





l. * * r -2, -I, ft, I, .2, . 


>l 




d J. 





r 



o 



OpeniJcK] 



o 



Example 2. 1 

iTie Wfo#i^ shows the resulis of the three binary operauons on two integers Because eauh 
input can be cither positive or oegalivc, we can have four cases for each operation. 



Add; 
Subtract 
Multiply* 



54 9=14 (~5}+9=4 



5 + (-3]-~4 



(-5)4 r>9> = -]4 

(-5) -{^}^+4 
(-5) x HJ) = 45 3 



^ SECTION 2.1 INTEGER ARITHMETIC 21 

^Integer Division 

# In integer arithmetic, if we divide a by n f wc Can get q and k The relationship between 
fi^tc four integers can be shown as 

V*) 

^ ^ ^ x n + r 

^ = ^ ^ ^ 

rs relation, a is called the dividend; q. the quotient; n, I he divisor; anil r. the 
r*i7Wjn*#^LNntc I hat this is. not an operation, because the result of dividing; u by a is 
swi> mirp^s. q and /. Wc can cull it division relation . 

Actinic i hat *j =>^5 and a a I ) We can find 4 a 23 and r - 2 wing the division algorithm w c 
have kyimw! in aHtyri$jyHic as shown in Fjpuru 2 3 



quotient and the rvmaimitr 

V 



1} + 



1 1 



25 5 + 
32 



*3 



2 * 



Mo*l computer languages can lind (©quotum and the remainder using language - 
specific operators For example, in the C v l^ujig« I the operator / can find the quotient 
and the operator % can find the remainder. ^\ 

Two? Rtttrirtions 

When we use the above division relationship in epigraphy, wc impo.se two restric- 
tions. First require dial the divisor be a positive integer (n > U). Second, we require 
that the remainder be a nonnegative integer ( r > Q>. Figure 2.4 shows this relationship 
with the two above- mentioned restricticins, 

-9^ 

Figure 2,4 Division algorithm jbr integers <J 



1 



1 q 

•) l_ 1 



+■ r 



Z-f . - . , -2, - 1+ 0|, 1, 2, + i+ l 



CflA HER 2 MA 7'fCS OF VRYPT&GRA PHr 

% 

Exmnpie 

When wc use acumpuur or a calculator, r and q ore negative when a is negative EW u _ an wc 
apply the rcslriclijDjfyhiir r needs to be positive? The solution is simple, wc decrement the value or 
jf q by I tod wejuia^e^alu^of n 10 Mn make it positive 

• ' v i -255^B^+ (-2)- .-255^^4X11) + ? 

Wc hmdecrtiiii-iil^ j> tohnfitnr -M ami added 11 to -2 to make it 9. The above relation 
is still velThI. I , . v ^-™~^ 

The Griyh »f the Relatioh* l&frKCM&f £ Hi** ~*" Jlt * 

^ Wc can show (he above retottfttvywih ihc tw<yfe1«/ifcfions on n and r using two graphs in 
Figure 2.5. I"he firs! otic shows Hic^im: when u i% |K*itive; the second when a is negative 




I 1 i|*tirc 2m5 Graph rifrcrwn' (sl^onl 



0 



(\ 1 H' 

-+j 1 — H- 





\^ Starting from /^m, the graph shows huw we each ns^h the point representing the 
^ * integer a on the line. Id ease of a positive a, we need to me&e 9 x * units to the right and 
ilien move extra r units in the same direction. In case oh&i^iitivc a, we need lo move 
. *\ {tf - 1} x it units to the left (g is negative in this case) and th^rjViove r units in the oppo- 
' ' site direction. In both cases the value of r is positive. 

Divisibility 

Let us briefly discuss divisibility, a topic we often encounter in cryp^jgraphy, If a h nut 
zero and we let r = 0 in the division relation, we get 



We then sayjhaJ n divides o (or n is a divisor of a). We can also say itf^Pa is divis- 
ible byJirwbcn we^e not interested in the value of q+ we can write the above relation- 
ship afe a\n. 1/ the remainder is not zero, then u does nut divide a and we can write The 
lelatinn^Jp^^^/ ^ J, ^ > Jjl C. 

Example 2 A ^ ^ 

fi. The integer 4 divides the integer 32 because 32 = 8 x 4. We sh**w this as 4|32. 

b. The number 8 does not divide ibe number 42 betau.se 42 = 5 x 8 -r Z Tlicie is a remainder^ the 
number 2, in the equation, Wc show lhi$ as 8-f 42. 



SECTION 2. J INTEGER A RITHMETIC 23 



a. We h*vc 1 3|7S. 7|9fi. -6 [24, 4)44. md II |{-33). 
# byJVr haw I3-T27. 7*50.-6+23, 4*41, aad i 1 -rr-32). 

FotluiSfl^uc several properties of divisibility Hie interested rtuidcr tan check Appen- 
dix Q foi^phxrfjs. 

<3> 

hupvrty 1 :0^2j ! ., ihen a - ±] 
hrtipjcrt) 2: and frja. then a - ±b 

iT^pcrly 3: c^\friLWr|(\ Ihcn d|c. 

I'mjH-rlv 4: if ti\r, then a\(m X b + n x c ) fc when: m and n arr Arbitrary micpcrN 

Examplr 2.6 sK 
a. Skilc 3 1 15 bjkI 15|4^pcfinttng to ihc thin! property. 3|45. 

h Sine? 3| J5 and 1|9. Ac&r^ig to the fgunh pn^icrty, 3|(I5 x2 + Sx 4), which itwjinn 3|66. 

A positive integer can have rrKflttlhan one divisor. For example, the integer 32 has six 
■ hvLsurv S , 2. 4, K« If*, anil 32. W&tan mention two interesting fads about divisors of 
rxisitive integers: • . 

%, 

Fact 1: Tlie tateget 1 bit only one divuorXijicIf 

Fact 1: Any positive integer has ai teasi two I ado iteclf (but it effl have mure). 



Greatest Common Dirutcr 

One integer often needed in cryptography is the greatest common divisor of two posi- 
tive integers. Two positive integers may have nrary^omwon divisors, hut only one 
greatest common divisor. For example, the eotnmon t&isors of 3 2 and 140 are 1 T 2, and 4. 
However, the greatest common divisor is 4. See Figunt 2,6. 

O 

Figure 2*6 Common dividers of rnxj mi^grrs 

Divisors of L40 lETisoroOI 




3 




of 140 and 12 



at a pter 2 m Tl&yiA TICS of cryptography 



The Ercsn^i common 4jvlw of two posith c integers is the largctt integer that can 

divMc both integers. 



Euclid fan A tgrrrii , 

Finding the greatest f&^hion divisor (gcd) of two positive integers by listing sill com- 
mon divisors is not pnn^ica] when ihe two integers arc large. Fortunately, more than 
2(X)0 years ago a mathetQuncian named Euclid developed an algorithm that can find the 
greatest common divisor <$^wo positive integers. The Euclidean algorithm is based" 
on Ihe following two facta (Sjri^Appcndi* Q for the proof): 

v= — 

i uct I: £ed <£f. 0) = fj 
Fact 2: y.ud (ia + b) - gcd tb. 



V 



^C^yl.e rcnunndct nf dividing ci by b 



r U\c lirst fact id Is, us that if the second integer is 0„ the greatest summon divisor is 
ihe lirst one. The second fsict allows tiXio^hangc the value of a. b until h becomes 0. 
For example, lo catajtate the gcci $6 P loCwq can use (he second ium several times and 
Ihe first lik t once i as shown below. 



_ i PJ J 




In other words, ged (36 h 10) = 2. gcd { 1 0. b) ^Z.^id so on This means that instead 
of calculating god (36, 10). we can find gcd (2 + 0 figure 2.7 shows how we use ihe 



above two friers to calculate gcd {a, h), 



KiftUrt 2.7 Euclidean ulevmhm 



o 



— tf> 











L 


p — *■ 
























f 


—tr- 


i 
■ 


• 
• 




■ 
- 
■ 






— *r 






J ' 


















| 





gC4J {a . - r. 




while \ t - > 0} 



r r : - x jt- 



^6 ~ 



b) 



a. Process 



K Algorithm 



We use two variables, r { and r to hold the changing values during the process of 
reduction. They are initialized lo a and b. In e^ich step, we calculate the remainder of 
F/j divided by and stare the result in the variable r. We then replace t\ by r 2 and r 2 by r. 
The steps arc continued until r 2 becomes 0. At ffluj rnomens, we slop The gcd (a, b) is r 3 



X 



11 



SECTION 2. 1 INTEGER A RITHMETIC 2S 



Whi n ' i ia,h\ = [. we say thai u and are n la Lively prime, 



Hrnlw^ralrJii common divtsoi uf 2740 and 1760, 
Solutions 

We aiiplyVfWa^vc procedure uwng a tabk. Wc luiliali/e r, lo 2740 jmcI r 2 lo \7U\ We have nlw 
&hrrwn the- Wmk; of ^ in c*;h tfep. We have Red (2740. 1760) = 20, 



Example 2.S 

Rnd the greatest comnion divi^ot of ltd 
Solution 

Wct^KBc this, particular example lu show 



* 1 








1 


2740 


1760 


9S0 


] 


1760 


9K0 


784) 






200 




780 


200 


180 






ISO 


20 


■ 


v ItiO 20 


0 




0 




0 



doe* no* matter if «hc carst number is smaller Ihnn 



the second number W r e immediately gel shit c(gjfect ordering We have gcd (25, 65) - 5 





Li ^^51 


\9k 




0 


25 xf^) 


25 


1 




10 


2 


25 10 (P 5 


2 


10 5 


• 0 






5 0 





ZTttf Extended Euclidean Algorithm 

Given two integers a and ft T we often need to lind uiher 

•.$'•1* r 3C<t+ f x ft = gcd (a* ft) 



integer?:, .r and t sue I] that 




"The extended Euclidean aLgciriihrn can calculate the gcd (a, and al the same time 
calculate the %-alue of $ ajxl t The algorithm and the process is shown in Figure 2.8. 

As stiown in Figure 2.R, the eateraded Euclidean algorithm uses the same number of 
step* as the Euclidean algorithm. However, in each step h we use three sets of calculations 
and exchanges instead of ooe. The algorithm uses three sets of variables, rs t x\ and f*s. 



CI lAPTEft 2 MA TJiEMncS OF Cff YFTOGKAPHY 




Figure 2.N Eft^uUd Euclidean algorithm 




^ I = 1 j. = o 



1 . J 















f t = 0 h=\ 



' — *- 




B X - q X 
*ji <| 



i 



) 



ti t if £j *- C; 



b. Algorithm 




in eacn step, r |s r 2 > and r have the same values in the Euclidean algorithm. TT£\iriaW« r , 
and r 2 arc initialized to the values of a and i,, respectively. The variable* ^ aadW initial- 
ized ro 1 and 0. respectively. The variables i, anil i, an: initialized to 0 and 1 r^^-ely 
Hie calculaiiacs of r T s T and i are similar, wMi one warning. Although r k the re3rfder of 
dividing r, by r 2 , then: L% no inch relaiionship between the other two sets. Tnere is on! v one 
quotient, q. which is calculated as r,/r 2 and used for the other two calculation^ 



Example 2.9 

tnveno^ \h\ andh = 2X, find gcd (a* b) And me values of j und r 
Solution 



5 



*2J$*s use a table Id follow the algwiihnL 



SEVUObi 2. / INTEGER ARITHMETIC 27 




Wc gel gci - ?i j ■ -I and t = &.Tht mwnjrti ^ i«i«J be.™** wo hive 

Kxnmpte 2 JO 

Given ff * 17 and /, - 0. ti^cd^, ft ani j of s 

Solution ^ ^ 

We use n utble m Miuw (he nl£iWiiii 

O 



.mil I. 




fj fa 



17 ii 




r 2 meets uut [L-nniniitJCin condi 



Note thai wc ncexl no calculation for q t r, in^<Thc firsi nh* of 



he aiuwen tan be rested *s shown beiow-N 



Example 2 Jl 



o 



Given a = 0 and b = 4?. ui. M and ihe valw* of , and t. 

Solution Q, 

o 



We uac a Lib! e to follow ihe aJgrwithm 






i 

it,. 


0 ] 


0 


I 0 | 





We pr, gcd (ft 45) . 45, * = 0, and f = t This indicate *by we j^uld (ni^ H t0 0 nnd ,„ , 
I nc answer can he icsicd as shown tek>u 



(0x0) + (i>^45>^45 



+ 




CHA PTER 2 MA THF&A>n LS OF CRYPTOGRAPHY 

Although we wifl see el very important application of the extended Euclidean algorithm 
in the next sectioWom; immediate application is lo find the solutions h> the linear 
Dioplinntirie equatX^rA of two variables, an equation of type ax+hy = c, We need to 
find integer values forbid > that satisfy the equation. This type of equation has cither 
no solution or an infinitcvimmher of solutions [jci d = gcd (a, b). If d*c , Ihcn the equa- 
tion has no solution. If Jfotfhen we have an infinite number of solutions, One of them 
is i'iiUl'-I ilu- particular; tht-Vy*. general. 

" — -Vj 

A linear Dio^hflnomr j-yuHtJtm of two variable* bar + 5v =-*, 



Particular Solution 

3 h 1 1 L-, n particular solution ii> the atov^egteation can be found using the following steps: 
1 HexiuL-e ihc coition In £ij* +■ i^y =>Cj)bv dividing both sides nf ihe equation by d. 

This is possible betause d divides a. fi^ndr by the assumption. 
2, Solve for a mid / in the relation u x s + b\t Vising the extended Kudidtan algorithm. 
3 llir particular solution uun he found: 



General Solutions 

After finding the particular solution, the general &olution^e^n be found: 



General salutwns: x = jt^ + I f fc/J) etna 1 y = jfy - * ktflfl ^ajj era £ Ls. nn i n < t^er 



Find the particular and general solution* io ihc equation 2Ix + |4y= 35, ^\ *r y "W ' 

Solution ^ ^ J * ' V 

Wc have. J = gcd (21, 14) = 7; Since 7|35< the equation has an iofiniie number of soJuiiofw. 
Wc tan divide both sides by 7 lo find the equation lr + 2> = 5. L T Mn£ Lhc extended Euclidean 
aJgtjrilhm, find * and i Mich as 1* ■+- 2r = 1 , We ba*e j = 1 and i = -I . The soluooi^rt 

ri_ ■ kl. , — ■ — - — 

G^ncrat jr=^5+* Ka and v = -5 -Jfcx3 where Jt k an imager < 

Therefore, the solution* arc % -5\ (l m -8). (9 + -1 1), . . We am easily test thai each of these 
solutions satisfies the original equation. 

IV? 

Example 2 J3 K t ^ 

A very intere^Unf: application in real hfc u when we want u> rind difTerrru c^b [nations of 
ohjecES having different vuJljcs. For eJcampk P imagine wc warn lu cish a SLW check and ge[ 
symc $20 and some S5 bills. Wc have many cboiccs, which we can find by solving the corre- 
sponding Diopfcftimnc oquation 2ih + 5y ^ 100. Since d = gpd f20, 5) ^ 5 and 5| I CO, lhc equation 



SECTION 22 MODULAR ARITHMETIC M 



fa a* M nitc number of S4iIuliptis. but only a few of ihem are acceptable in this case (only 
answers in which holh x and y are nonnegaovr integers). We di vide totfh sides by 5 to get \\ +_y = 20. 
^($ en 501 Vc ^ K 3 luslfcori * f = I . We can find J = 0 md f = 1 using Ihc extended Euclidean 
nJ^drWn. The pankular solutions TCJfl = 0x2O=0and>t,= lx2O = mTtM; general solutions 
wiiFfx>d > nonnegative art (0. 20). ( 1 . 16), (2, I2) b (3. 8), ft 4), (5, 0). The rest or ihe ftohuio™ 
are ftoH^cptablc because y becomes negative. The leJier at tbc bank, needs to ask which of l he 
above rtiujrfciamntt v.- warn. The Rm has no S20 bills: the last has no S5 bills, 



2.2 M&)L'LAR ARITHMETIC 

"(Tic division rsrfili^^' hip (a ~ q x n + /■) discu.sscd in the previous section has two inputs 
[a ami n J and (wiXlu{ihiI& (tf and O, In modular arithinHk, we arc interested m i>nly one 
of the ouupuLs, the ^ii. irul. i • We don't care nhout the tnioiient ^. In other words, w c 
want lo know what t^hc value of r when wc divide o by n* Thi^ mimics thai wc can 
change flic above rclah^nla a binary operator with two inputs a ami /i and one output r. 

\1odtllci OptTiituT ^\ 

I In- .lIhivc mentioned binar^pcr mor is called the modulo operator juid is shown us 
mofj The second input (n) i^^ed Ihc modulus. The output r is called the raid lift. 
Figure 2.9 shows the division rei^ni cornp;ired with the nuxlulci operator. 

I'igure 2.° Dnt.u&ti rthiimn ti/uf motk[&&tp* rater 

_ 



£ — [ 1 


♦ -1,0. 1.2, - . -7] 




1* 
■# 


n — * 











ve) 




< Jpcmlor 



r" fnonncgativc) 



As Figure 2.9 shows, the modulo operator (mod) tal(es^an integer (a) from the set Z 
and a positive modulus (n). The operator creates a nonneea^ residue (r). We can say 





a mod n = r 



Example 2J4 

Fins I the result of me following iipcrsuons: 
a, 27 mod 5 
h 36 mod 12 
l -KftmodM 
d -7 mod 10 



) CHAPTER! MAI&ffATICS OF CRYPTOGRAPHY 

Solution 

We n« iooking/or the raddue r. We c™, divide liwn by « sud find ? and r. We can then dkresard 
^ and Xcc p f a 

a- Dividing 27 r^csul te tit Z This means that 27 mod 5 

c. Dividing ^18 hy VWilt* in ^ ^ Hoover, we «*d to add the module (| 4)l o muke it 
rmtiiic^ujw. Wc hif^=^ + 10 This m*™ dmt-18 mod 14 = to. 

d. Dividing -7 hy 1 1] rr<$> in r = After adding (he mnduhu to ^-7, we havr , = 1 TTlb 
nteotft LluiiE -7 iihhJ I0=(!C\ 

Hie result of ihc modulo opera t^with modulu.s ,, 1S always an integer between I) and 
n ■ - I . In other words, iftc result ofyrmud „ i s alw^.s a nonnegnnve micger less than „ 
Wc van say that the modulo ofttrM^ creates a set, which in modular arid,,,,,-,,.' i, 
referred to av d,, s,, ,,f k-aM miduis n*^,, „, or /,„ However, wc need to renum- 
ber dud although we have only one *e( Vudegers (Z). w c have infinite tr «ia«d* 0 f the 
of residues (Z,,), one for each value 6jY Rgure 2.IU shows the sci Z„ and three 
instances, Z 2 . Z 6 , and Z, , ^\ " 



I'lgu re 2, 1 0 s, , mc z_ iW{ j 



Zj = f I) 




Zli = { 0» f.^, 4, 5, fe, 7, ^ 9, 10 ) 



^9- 



Congruence 



In cryptography, we often used the concept of congruence insist of equality Map- 
ping from Z to Z„ is not one to^ne. Infinite member* of 2 can n^pHp one member of 
Z„. For example, (he result of 2 mod 10 = 2. 12 mod 1 0 = 2, 22 mo?2 = 2, and so on In 
modular arithmetic, integers like 2. 12, and 22 are called congruent !nod 10. To show 
that two integer* are congruent, we use the congruence operator iQw e add the 
phrase (mod n) to the right side of the congruence to define the value ofQjdutus ^at 

■m-n.b-.ar- ika wj.-.I L i- j r^- . V_^~ \ 



makes the relationship valid. Far example, we wrise 

I 



2*]2(modiO> B^modlO) ■ 34*2*(n»d 10). -8 -12 (mod 10) 
:US(mod5K 8=13(ihod5) 23 . 33<iEoa5) -8=2 f ™d5> £ 

Figure 2J 1 shows the tdca of congruence. We need to explain several points, 
a. The congruence operator looks like the equality operator, but there are differences 
I-irst. an equality operator maps a member of 7, to ,tse!f; the congruence operator 
maps a member from Z to a member of Z„, Second, the equality operator is one- 
ro "Tie, the congruence operator is man v -to-one. 



SECTION 2. 1 MODUlJk R A RtJlfMETlC 31 



^ Figure 211 




b, The phrase (mod n) (fliS 



. *J w « 'nseri at the riiitit-Tund side of ihc congruence oj^-ua 
tor is just an nidi. auon^jf th* donation set We need to add tins phni* <o 
show what modulux is u*>$ in th, nuppifw The symbol mod used here do** not 
have the same meaning iAc binary operator. In uther wonk + the symbol nuxi \\\ 

; mir phrase (mod 10) in 2 s 12 (mod 10) means efoai the 



12 mt. id ID is an operator, 
destination set is Z lD 



\5 



Residue Classes 

A residue class (a) or [a], is the set of ©bgcrs congruent modulo n. In other words, il 
is the set of all integers such thai x = a Im^Tfe). For example, if n = 5. we have five sets 
l«>I. 1 1 1- |2J, 13 1. and [4] as shown below:* f\ 

v6 



|01={...,-!5. —JO. -5.0. S.-10. 15, ...| 

[1]= (...,-14, -9, -4.1, 6, 11, 16,... | 

{...,-13. -8, -3, 2. 7,12, 17. ,..) 

-5.3, S. 13, 13, ...J 

-6, -1.4. 9.14, 19....} 



[2] 

[3] = {,,.,-12. 
[4] =[.,..-11. 



o 



o 



The integers in the set [0] are ail reduced to 0 when Qapply the modulo 5 opera- 
tion on them. The integers in the set [1 ) are all reduced to V£hen we apply die modulo 
operation, and so on. In each set, there is one element called the least (non negative) 
residue. In the set [0], this dement is 0: in die set ft 1, this element is I ; and so on. The 
set of all of these least residues is what we have shown as Z s = f 0. 1 , 2, 3. 4 J . In oilier 
words, the set Z„ is the set of all least residue modulo n. 



Circular Nofadon 

The concept of congruence can be betier understood witb the use of a circle. Jim as we 
use a line to show the distribution of integers in Z. we ean use a circle Lo show the 



7M PTER 2 MATHEMA^S OF CRYVTOGRA PH} r 

%r 

1 r j in re 2, 1 2 L ompnri sun o 



}JZ and Z n mmg prnphs 



4 — 


— 1 










in- h 


*J 1 


1 

{■ - 11 


* 



am2 (modi) 




distribution oi integers in Z rt . hyure 2.12 shn^rtse comparison between The two. Integers 
0 to n - I arc spaced evenly around a circle. Ai( congruent integers modulo n occupy 
Ihc same point on the circle, Positive am! negah** integers- from Z are mapped to the 
circle in such a wllv ihat there is a symmetry bciw^* them. 

Example Uft 



to riniaMj^ time. Our 



We use modular Jiri thmetic lii our daily life: for example, uw= a 

Clock syitrm uicb j[iLKluk> 12 amrmkctic. However, in&lcjd ofj^wc use ihc number 12- So iwjr 
clock system slum with 0 (or 12) and goes untd 1 1. Beciuiic ukfAito la.it 24 hours, we navigate 
uround tlu j circle two tunc* and denote the first revolution as A^M^fnd the second ai P.M. 



Operations in 



o 



The thr&e binary operations lodJifjofi, ftritfnorrtot. and multip^^ii ion ) that we dis- 
cussed for the set Z can ako be defined for the >ri Z A The re>*irk may need Lo be 
mapped to 7 JjT u.ung the mod operator as shown in Figure 2, 13. 



O 




Operalbiu 



a — ► 


idem! 








l" 










^. = 1' 





(d ^A) rood a =f 

!a - b i mod ji - c 
(a x h i nw) * = C 



ttCnONU MODULAR ARITHMETIC 33 

Actually, ruo sets of operator; are uwd here. The first set is one of the binary oper- 
ators (H + - x); the second is the mod operator. We need to use parentheses to emphasize 
^j^er r>f operations. As Figure 213 shows, the inputs (a and h) can be members of 

Perform tfcJollowiiig operations { ihc inputs come from Z^,): 
JL Add \W 1 t m Z |F . 
b. Snb!rac(5) from 7 in Z I3 . 
t. Multiply Xl^y 7 in 

The following sho^fOw; iwo itfep* involved in rath c«c: 

1 14*7) mod IS ^ftl) mod 15=6 • ■ A ; , ■ 

l7 [Dram -v^jnwijaft IBlk 
(7x 11) mud 20 Ot)iuoJ2D^n 

c\ ^^^^^^^^^^^ 

hxampleZ+i? 

Perform she Jcilkm-mjt opeziiiion.s(jlKr mpui\ coinc from either /« or 
L Add 17 id 27 in Z u ^ 
b. Subtract 34 from 12 in / lj v 
e. Multiply 133 by -10 in Z lfi # ^ 

Solution 

Hie knowing ihuwi ihc two steps imtrtvcJt^iLli ua\c- 

(17 +27) mod 14 (44) mod 14 =^ 

( 1 2 - 4?) mod » -» , (-31) modi aBfk 

(123 x C-tO>)jDDd ; »4.r^:< (-1230) mod 19=^ ' i 



Properties 

We menEionod thai the two inputs to die three binary operations in the modular arithmetic 
can come from Z or Z^. The following properties allow us to first map the two inputs to 
Z„ (if they are coming from Z) before applying the trrsce binary operations (+, x,). 
Interested readers can find proofs for these properties in A^ndi* Q 

' 



First Property: \a + b) mod n = \{a mod n) + (b mod n)] mod n 
Second Property: {a - b) mod n = l{a mod *) - {b mod n)I mod * 
Third Property- {& x mod ji = \{a mod n) x 0 mod n 1 1 :m kJ rr 



Figure 2.14 shows the process before and after applying the above properties. 
Although the figure shows that the process is longer if we apply the above properties, 
we should re member that in cryptography we arc dealing with very large integers. 
For example, if we multiply a very large inteper by another very large integer, we 



rHA i*TER 2 MA THFMAT&S OF CR YFrOGRAFH ¥ 



Figu re 2. 14 Prop*rtiz.i of fnc?d operator 

TP 




o_ Original process 



h. Ap^£ing pft3pcnic4i 



may have an integer ihut is too laxge ( o be stored iti lh* cumpwer Applying ihe 



mm 

exponential 



at ion is applied, hi Other words, ihe properties Allow us u^ifcork with smaller ni 
l>ers. This fact will manifest use If more clearly in disci^n of ihe eaponen 
operaiiun in later chapters. 

Example 2 JS 

The following shows ihe application of the above properties: 

1. (1,723.345 +2.1 24.945) mod IL = (£+9)mod U ^fi 

2. (1/723.345-2.124,9451 mod 16- (8- 91 mod II = 
J. (lJ23,345x2j24^5)mod t6= (8x9) mod II = G 



o 



Example 2A9 (7^ 

En arithmetic, we often need to find the remainder 0 f pores of 10 when divided by Stef 
For exaropfc. wc need to find 10 mod 3. 10* mod 3. I0 3 mod 3. and so on. Wfe also need to fgk 10 
mod 7, 10* mod 7. 10* mod 7. and so. The third property of the mod openuor mentioned above 
makes life mucli easier, 



H/ niDdj^dOmodir/ Applying the (feud propetty q times 

We have 



i - r 



I3=!i 

^ji- 
lt) mod 7 J 



TO rnocf 9 =It- ' -> 1 jP jhed 9 i ( lOtmk 9^ 1 




1 !) 



J 1 V '0 £ 



x3 




A SECTION 2 J MODiflAR ARITHMETIC 3* 

^Example 2.20 

/Vc have been told in aiiihmcric thai .he remamder of an mtegcr divided by 3 is <hc«mw k ihe 
reminder of the sum of its decimal d.gits. Tr. other words, the remainder of dividing ft<m hv 3 

£2^™ rjf*!? 17 ^ 3 b "° ,e 6 + ^ 7 + 1 = 17 . W, can prove (hi, cl aim us i„, L 
p^l« Of the mod o^nUM. W C wnre m intc ^ as thc sum rf ^ ^ fa 

o = n* ri XjJtf^ * . XlQ 1 ^dgX lCr° 

N.m- we ^Wly The ™d W<"r to both ,jdca or the cqualiiy a „ L 1 use ihe nsuh of the 
prrvn^K cx-impk^HTiL 10* mod 3 n t 

a nwd3 >cfoy - + * JQ'+^xuft ml 

*^aod))a^lQ"jiwci3)^». + + (a|iood3>x(1o' mod 3)+ 

I n verses ^ 

When we arc working m modulw*a^nwtic p w C 0 fi cn need in find the went- ol a 
numb* relative (u an operation. We ^ommily Joking lor an additive invert (rela- 
tive to an addition operation) or niuWi^tive inverse (relative To a imillmlkation 

operation}. x q fc 

Addifirt' Inverse 

In Z fli two number*, a and /? are additive Lnvei^^t each oElicr if 

In Z B , thc additive inverse of * cm, be calculate** a* fr = n - ft, For example the 
addinvc inverse of 4 LtiZ 10 is 10-4 = 6. Q, 



Q 



In modular arithmetic, each integer has an addSjp* inverse. 
Tht sum of an integer and ks additive invent is congruent ii> o modulo n. 



Note thai in modular arithmetic, each number has an additive inverse and the inverse is 
unique: each number has one and only one additive inverse. However [he inverse of the 
number may be the n umber itself. 



Example 2.21 

Find aE] additive invert pairs tn Z, 



CHAPTER 2 MAT$4g$A TICS OF CRYPTOGRAPHY 
Solution 

The si a prtirri nl^dJuivcL inverse* arc (0. 0). ( 1 , 9\ f2, 8). (3 P 7), (4, 6). and (5. 5). In (his, list, 0 is 
the additive invctscsuf itself: so is 5. Note thai tbc additive inverses ore reciprocal; if 4 is the addi- 
tive inverse uf 6. then fris also the additive inverse of 4, 

V 

ftrfitttipiicafivt inveq^ 

In Z fli two number *J>dn)l b are the multiplicative inverse of each other if 

For example, iflhe mry^uH^s lfl P then the midnphcaLivc inverse uf "V is 7. In ulher 
words, we hnvc O * 7) mod KJ^-I. 

When it docm, the product of ihfcjp^cpfT and Us muhlpifcaijvf lrmrr*c L% cnn^iirnL 

modules n. 

h iun be proved theti £J bus j miiltijiSic^ve inverse in Z rt if md only if gcd a) - I. 

l-ind the multiplicative invrrse of ft m 
Solution • * 

J liL-te j.s no multiplicative tnvmc because gcd ( 10. Hi - . In nther words, we cannot find any 
number between 0 and 9 *uch that when multiplied bv 8< u^e>Aul( is congruent to I . 

Example Z2J 

Pi ml all mil Implicative inverses in Z 1(J . ^^r\ 
Solution 

"There are only three p«L i ( I p 1) T (3* 7) and (9, 9). The numbers 0. -Nw. itid K do not have a 
miiUmhcative inverse. We can sec chat W 

- . 

(I X 1} mod 10= 1 (3x7>siK)d JO = l (9X91 tfiorf .10 = I 

o 

Example 2.24 

Find ail multiplicative hTvcrse pairs inZu. 



We have seven pairs: (IJ), (2, 6). (3, 4), f5 + 9). (7 + 8), (9. 9). and (I0 f 10), In moving from Zi 0 to 
Z||. Git- number of pairs doubles. The region is dim in Z^, gcd (il T a) is 1 (relatively prime) for 
all values of n e*cep* 0. It means all integer? I To 10 bsvc multiplicative inverses, 

T'hi' integer ^ in J% ha* a mnrtiplicstive inverse if and only if Red {n T a) = 1 (mod a) 

The extended Euclidean algorithm we discussed earlier in the chapter can find Che 
multiplicative inverse of h in Z n when n and h arE given and the inverse exists. Tn show 



■ 



SECTION Z2 MODULAR ARITHMETIC 37 



^ihis, let us replace the iwm integer a with it < the modulus}. Wc can say that the algorithm 
^an find j and t such x n * x f = gcd fn, However, if the multiplicative inverse «f 
* exists, jtcd (O) must be I So the relationship is 




0 X XT I + ^ X f ) = 1 



« apply the modulo operator to both sides. In other won! a, we map each side 
toZfc. WF^jll have 

■ (s x ^V^x j) mod A=i rood n 



[* X nYfrid n\ + ff>X j) tj w *! ^| mod a 



Thk ttksui* / ls. t]jc miilripKcative iiivrttc. of /tin ZJ 



1 C 'r 1 



Note thai [is x rtSXnod *| in the ihmj Imc is 0 because if we divide (v x /.) by ,i k the 
ijuohcM is fl but d>c re inline ier is 0 

^1 

lT*r rttcndtd Euclidean ^xiihm finds Lhr mull ipl Erst, vr 



h»t kfi*tn und gcd = L 

E Uf tnulLtphmtivc Liit^^of ft h E Jw fra j ue ^f/nflrr being niiipp^l to Z 

TP 



hgure 2 15 show* how wc the multiplicative inverse of « number using the 
extended Euclidean algorithm, ss<. 

- 

Rgun-2.15 Ut mf . the extended Eutti&an®,,™**, to find the multiplicative inmse 

' & 



K 




! 



g 




a. Process 




b. Algorithm 



Example 2J5 

Find the miiltiplkaklive tmcrse or 1 I in 



CHAPTER! M^H%MAJ1CS OF CRYPTOGRAPHY 

\ 

Solution ^ 

We use a tahlfe similar to the cw we used before with ^ = 26 and r 2 = 1 1 . We are interested only 



in [he value of'f^p. 

V 




The Red (2o. 11) in I, which in?4pi thai the multiplicative invert of 1 1 The ci tended 

Ifuthtkan aljtonlhm give* rj = -7 Rftniutliplicahvc invtf^c w 1-7) mod 26 ^ 19- tn othtf ward*. 
U and 19 mmtiliiphciiiw invert in^-We can f-cc t(iAi (1 1 x 141 mod 26 = 209 mod 26 ■ I 

Rwmpie 12tf 

l^ind the multiplicative inverse of 23 in *Ly£ 
SoluLinli V^y- 

We use ii Uible sirmUe m ihe «ik we u&ed befor^WKh * x ■ 100 and r ? = 23 We are inieiciitrd only 
hi the value of l (S^ 




The gcd ( 100. 23) is L wmch means ihe inverse of 23 eiistv Tbc {^ukd Euclidean algorithm 
gives r s - -1 3, The mvene is (-13) mod 100 - £7. Id other word*, ffi^wi 87 are nmLiLplicrive 
inverses in Z 10B . Wc can set thai (25 x 87) mod 100 - 2£l0l mod 10U^ I 



Example 2.27 

Find ihe inverse of 12 in Z^. 

Solution 

Wc use a table similar to the one wc used before, with j-j 



- 26 and r-> ■= 1 2_ 







r 






1 1 

N ; ■ I 
■ 


1 


2b 


12 ! 


1 




0 


1 


!• - — fl" 


j $ ■ 


r 12 2 






-z 






j 2 0 




1 -» 


13 





The £td (26 i 12) = 2 * U which menu there is no multiplicative inverse far 1 2 in / J2fi . 



^ddiLitm and Multiplication Tables 



SECTION 2 J MGDUUR AkntiMtTfC 39 



Ijigure 2.16 shows two tables for addition and multiplication, In the addition table, each 
integer has an additive inverse. The inverse pairs can he found when the result of adrii- 
tion^is^cro. We have (0, 0), (U 9). (2, 8). (3, 7). (4 T 6), and (5 + 5). In the multiplication 
l3bk>«^vhavc only three multiplicative pairs (1, I), (3. 7) and {% 9), The pains can be 
found Wm^jcvcT the result of multiplication is I, Both tables arc symmetric with respect 
to the diiS^Wl of elements that moves fmm the lop left to the bottom right, revealing 
I he eomrcnj(5J)vc property for ackhtion and multiplication {a + h = h + a and axtsk<i). 
Hie iukhtnir ^ik also shows that each row or column is a permutation 0f another row 
<+r column, [b^j noi true for the multiplication table. ^ 

^ 1 



KiKiirr 2. 1 f> Addiha^and mulnpiicutum tables fnrZ 

^ 



to 








: 


3 


4 


5 


* 


1 




9 










0 


0 


0 




0 


t) 


".' 


i 




i 


S 


^ 


4 




6 


7 




»? 












H 


a 


i 

M, 


4 




s 




0 


3 


6 






s 


B 


i 


4 


7 


4 


0 


4 


1 














<■ 




0 


5 








s 


i 


- 


0 


5 

MM 


A 


i) 


6 




x 


4 


<i 






« 


1 












'■ft 




H 


o 


8 


ft 


.i 




0 


K 




-1 


K 




0 

. 


4 


H 






5 


4 


1 







o 



MuHipliciruMi Tubjt in / 



Different Sets for Addition and M\^^lication 

In cryptography we often work with invcrsc^ffc the sender uses art integer {as the 
encryption Secy), the receiver uses the inverse of ifm integer {as the decryption key). II" 
the operation (encryption/decryption algorithm) is adjMon, Z n can be used as the set of 
possible keys because each inte s rr in this set has an Ciaiuvc inverse. On the other hand, 
if the operation f encr^tion/deeryprion algorithm) is multiplication. cannot he the 
set of possible keys because only some members ot(El£ set have a multiplicative 
inverse, We need another seL The new set, which is a subset of Z n includes only inte- 
gers in 7 JjT Chat have a unique multiplicative inverse. This se^fe called Z^t > Figure 2.17 
shows some instancesol two seLsTftote that £^ can be cnadeHfjm multiplication LabEes, 
such as the one shown in Figure 2. 16. 

Each member of Z a has an additive inverse, but only some members have a multi- 
plicative inverse. Each member of Z^ has a multiplicative inverse t but only some 
mrmbers have an additive inverse. 



We need to use Z H whrn additive fmcrws are needed; we need lu t£SC Z^' when 

mul U p I icLE ti vt Lnve rses are needed- 



CHA FTER 2 MA THlfS&fflCS OF CRYPTOGRAPH f 

4 



Ft gu re 2*17 Stme Z„ and Z n * gtati 



r- 

It 



7 



/ 



■ 



^ 



f 1. 5} 




K 2.3, 4.4. M 



4, 5. <. 7. S. 91 




(1.3, T,«) 



Two More Sets V> 

Cryptography olicn uses two mnfc^Jcf*: Z, 



and Z^* . The rmxtulus in these two sets is & 



prime number, fr-ime number; will rMjW ussed in Inter chapters" suffice ie to say that a 
prime number has only two divisors: irVeger ] and itself. 

Tbt set Z^, is The same a* Z,, excepi^f ji is a prune. Z r ennuinx .ill integers from 
0 to p - 1. Each member In f* p has an at ve inverse; each member except 0 has a 
multijiliciitivc inverse S 

The, sel Z p * is ibe same us Z„» except iW^-is a prime. 7y contains all integers 
from 1 lop - I. Each memher in Z_« has an additive and a multiplicative inverse. X p * is 
a very good candidate when we need a set that su^torl* both mkhlivc and multiplicative 

inverse. • 
The following shows these two sets when p - 1 iS\ 



2,3=^0, 1,2, 3. 4, 5. 6. 7, 8. 9 t KJulL 12] 
Z 0 » - ( 1, 2. 3, 4. 5. 6, 7. 8. 9. 16, 11. IS} 



2.3 MATRICES 



O 



o 



In cryptography we need to handle matrices. Although this topic l^fongs to a special 
branch of algebra called linear algebra, the following brief review of matrices is neces- 
sary preparation for the study of cryptography "Readers who are farmljapwith this topic 
tan skip part or all of this section. The section begins with some denrrkifens and then 
shows how in use matrices in modular arithmetic. 



<3 



Definitions 

A matrix is a rectangular array of I x m elements* in which I is the number of rows and 
m is the number of columns. A matrix is ncrmaih denoted with a boldface uppercase 
letter such a* A. The elcmeni is located in the rth row and jth column* Although 
the elements can be a set of numbers , we discuss only matrices with elements in Z, 
Figure 2J & shows a matrix. 

If a matns has only one row (c = 1)« it is called a row matrix; if i[ has only one col- 
umn (m — 1) + it is called a cotumn matrix., tn a square matrix, in which there is the 



% 

^-fl^ure 2. 1 8 A matrix affile I k m 



SECTION Z 3 MATRICES 41 



Matrit A; 



E 



0 



fl, 2 

- 
_ 

^f^2 ■ i ■ 



*1* 



•o 



sumc number ofc^Aws and columns U = m)> the element tt l[t ti 2li make (he 

main diagonal, A^khtive identity matrix denoted oa 0, is a matrix with all row* imd 
columns set (o Os ^ir^dcnUty matrix, denoted a* I, is a square matrix with I s on <hc 
main diurnal ;md iVi^whw l i^a- 2 14 ;ln»ws sumc example of matrices with 
elements from Z. \ 

1^ 



■; 2 1 ^ i t ] 

K^w nutria 



13 

CoiLIILI'i 



21 
12 



14 

21 



54 
18 

It 



o o 

D 0 

0 0 

0 



I 0 
0 I 

I 



Opera tic j as and Relations ^ 
In linear algebra, one relation (equality) arw^t^j)! 



11 


IS 




Mm 



auuns (addition, subtraction, 



multiplication, and scaiv multiplication) are deftnQfor matrices. 
Eifaality 

TVo matrices arc equal if tftey have the same number of rows and columns and the corre- 
sponding elements are equafc, In other wocds, A = B if wcha>B = for all fs and /s. 



Addition and Subtraction 



Si-, 



Two matrices can be added if they have the same number of columns and rows. Thist 
addition is shown a* C = A + B. In this case, the resulting marxis C has also the same 
number of rows and columns as A or B. Each element of C is the sum of [he two corre- 
sponding elements of A and 8: c i} - u i} + h iy Subtraction is the same except that each 
clement of B is subtracted from the correspt : hng element of A: d^a^-b^. 



Ex&mpU 1.28 

Figure 2. 2Q shows an example of addition uidiufrrncuoTi, 



CHAPTER 2 MA Til^A TICS OF Ctt YPTOGRAPfiY 

4*. 



V\ pi re 2. 20 Aiiditfon ami subtraction nf matrices 
- - . — • 



]2 * 4 
M 12 30 



0 


-2^ 






2 1 " 






10 


■ 


1 

I 


1 ]^ 





f 7 2 3 1 

L S 10 30 J 



J> - A - B 



CO 

Multiplication 

We tan multiply two matnt^tjf different siw* if the number of columns of the ..... 
rnatri* is the same as the ntimBwjrf rem* of die second matrix, If A is an / x m matrix 
irnf tt is on m x p motri*. the pioWt of the (wo is a matrix C of size / x p. If cadi elc- 
mirm ol matrix A i* tailed <■•„. L-aeMcrTicrii u! matrix B ts aided then each element 
(» I matrix C» C: t[ can be calculated a.tU 

Kxampie 2 29 C\ 

Figure 2 2 1 showi the puduci of a row mnim ( t a column nvuix f 3 K I ). The mull is I 

matrix of st/r lx|. \ 

® 

Figure X2 J Multiplication ufa now matrix by a columnn^inx 



CAB 
■+ 



V 

















In 



.O 

- & 



Example 2.30 



O 



Figuj* 2.22 sbowsihe produa of a 2 x 3 matrix by a 3 x 4 mairix. The axJt'n a 2 x 4 matrix. 



Figure 2.22 Muitlpiicmion of it 2x3 mairi* 



52 ]« J4 9 
41 21 vi 7 



5 2 j 
3 2 J 



7 3 2! 
S 0 0 2 

r 3 4 0 



Scalar Multiplication 

We can alsq multiply a matrix by a number (called a scalar). If A is an fx /n matrix and x 
is a scalar, C = xA is a mauix of sizz Ixm/m which = x x ^ 



% 

1 XL 1 3 IT 2*23 Scaiu r hip/jCtf/Km 



SECTION 2 J MATRICES -U 







A 


ft 3' 




"5 2 |" 




= 3* 




fj 11 


3 2 4 

b 



X 

r^- 

Example / 

Figure 2.23 s^SJ)v*, an example of scalar multiplication 

The detcrminaiSt^f a ^juffl matrix A of slzc m x m denoted as del (A) is u scalar cal- 
culated recursive] va shown below: 

tfi 

i 1 1 m I , tlcM A i ^! 

4 

* i rfotai 



Where A,j if & maim 



rd fruiLL A hy dr3clLii£ lite ilIi iuw jmtl jlh koLuhiu. 



Thr dt-tcrnii 



defined only for a wjiiiirr matrix, 



Example 



[■"iyurc 2.24 show.s how we can eakulaie me cjfcier rmtkiuii of a !>■ 2 zw.iHw !>ased on the deLenni- 
ileuil of ft L k 1 tiiatria usmg the above Teeufxivc definition. The example shows dial wKcu m is, t 
or 2, it h vcrv easy lii »xnl \lx JturmiirLijii oiQkiMri*. 



2.24 Calculating the dtitrmmnni of d £ fa2 rruitnt 

«5 



del 



5 2 
5 4 



= M) H !x5 KOet[4]f- l-n ltl >c{3)Sei[3] *■ 3x4-2x3= 14 

llllllllllllllllllllllllfrl 



Example 2.33 

Figure 2.25 show* ihc tabulation of the determinant 



of a 3 X 3 mama, 



del 



V~2 1 
3 □ -* 
2 1 6 



[l "l]t M > 



M: x2xdcr 



5 

2 U 



-y i-j r*- 1 * l x dct 



j o 

2 I 



*( I)kSx( 4) _ (-l)*2x(2i) ^- f 1>* I x{3)=-W 



CHAPTER 2 MA WKfy&TICS OF CRYPTOGRAPHY 

Inverses ^> 

Matrices have hxfth additive and multiplicative inverses. 



% 



defined by -A. 



Additive Inverse 

Hie mliliiive inverse <Yprftrtx A is another matrix B such that A +■ B = 0 In other 
words, we have = - a^^\ values of i and/ Nontwtty the additive inverse of A is 

Muttiplkulive inverse \) 

The multiplicative inverse is dctrngd only fur square matrices. The multiplicative 
inverse of a sipnire mains A is n stnfyc matrix II such (hat AxR = llxA=t Normally 
lire multiplicative inverse of A is deft^by A 1 .The multiplicative inverse exist* nnly 
il.HuuktU j tuts : i ny il nnlh-in^ uim-iL^X ^ mrm r-. nr i; r»j set Since mi integer has 
a imildplicaiive inverse hi Z. there is mi vpthpluuiitr „;v;-r,c .4p matrix te l. How- 
ever, matrices wilh rejil elements, have irivtW^only if del (A) *G. 

Vv 



Mulliplk ;i lim mvcrva arr ufih dt-l^ftlfV! fiH - 



■M|Lorc mairtcm 



■\JJ opera- 





Cryptography uses residue matrices: matrices: with atrejp&enis art- in Z, 
lions on residue matrices arc performed the same us for ttte~i*teger matrices except that 
Hie operations arc dime id modular arithmetic. One interekig result is that a miiUur 
matrix ha^a mu Implicative; inve^if-t^^^ mmaoUi i J fa x ^ ^ x ^ a m ultipli cativg 

inverseTFZ^In other words, a residue matrix has a imjltjj^aiiv ~invcr«:<: iTl£d 
(det(A) T n\ = 1. A 

Kiyure 2.26 shows a re&irjye matrix Ain^ jumI its zoultifkaicaiivc inverse A " E We*ave deu; A) = 2 \ 
which has the multiplicative invrne 5 in Note thai when we multiply the Lw^airiccs. lie 
result t& the multiplicative identity matrix in Z^. ^ _ 



& igu re 2.26 A residue matrix and us mulizptiamvi inverse 



A = 



:> 


5 


7 


2 




1 


I 


? 


2 












A" 


6 


3 






13 


s 


4 


■ 




<J 


rllA. 


1 ^ ZI 





15 21 0 15 
23 9 0 22 

15 16 18 3 

:-i 7 15 3 

detfA" 1 } « 5 



^\ SECnON2,4 UN£AR CONGRUENCE AS 

% 

• T\vo mairices are tongnient modulo n T written as A = B (mod nj, if they have the same 
f^fritjer of rows and columns and aJI corresponding elements are congruent modulo n r 
Ifl^cr words, A h B (mod n) if m b tj (mod n) for aJI i's and ; h <s 

-% 

24 WNEAR CONGRUENCE 

Cryptograrlh^ftcn involve* solving an equal inn nr a set of equations of one or more 
variables wilfexwfticicnt in 7, n This section shows how tti solve equation-, whrn the 
power of each \rfn able is I (linear equation). 

S\\\ ^1 Va riabl <M An m r l^q u alio tm 

\jX us sec how we cafrso^c equations involving a single variable — that is, equations of 
the form oxwb (mod equation of this lypc mighi have no solution or a limited 

number of solutions AsstW that the gcd (a, *} = If dth, there is no solution, \fd\h, 
there arc d* solutions <\> 

we use the foUowi^^straicgy to find the solutions: 

h Reduce the equation by tiling both sides of ihe equation (including the modu- 
lus) hv J. v 

2. Multiply boih skies of the mlu*?^J equation by the multiplicative inverse of a lo 
i irni ihe particular solution x& J> 

x.^«*, t .a, 

Solve the equation IQt b 2 (mod 15). 

Solution O 

First we find iht gul I 1 0 and 15) = S. Since 5 does not d^Qc 2, wc have no soIuUon. 

Example 2.36 * 

Solve ihc equation 14i = 12 fmod 18}. ^ 

Solution v?) 

Note ihsl gcd (14 and 13} = 2. Since 2 divider I2 h wc have exactJy twes wluUon&, bul nrsl wc 
reduce ihe equation. 



i .14*= 12(np<f IS>~* 7*^6(n»d9) -> x = ^j0^m 




&otn tclutkm*. 6 and 15 satisfy the eongruewc relation, because ( 14 X 6),iriod Ifi ^I^sand also 




CHA rTER 2 MATHEMATICS OF CRYPTOGRAPHY 
Fxamplv 2.3&* 

Solve the equation^ +4=6 (mod 13), 
Sohitiori >S) 

we ehsnge the in the furm ai = b fnwxj n). Wc Add —\ frhe additive inverse of 4) to 

both sides, which give (mod 1 3 J Because gcd f3> 13)= 1 . ihc equal ion hns oniy one solu- 

tion, which is x$ = (2 x > ^J)| mod 13= I a mud 13 = 5. Wc an *ee Kh^ii the answer satisfies ihc 
original equation: 3 X. 5 + fmod 13}. 

Wc can also solve a \zi of ]^ar equations wiih the *amc modulus if the matrix 
formed from i h i; toeMicicnts or*lTj)t variables i\ invcrtrhle We make three matrices. 
The tirM is ihc square matrix miiclr faun ihc Coefficients of variables. The second is a 
column iiKiinx made from Ihc varialiW^ The third is a column mains made from the 
value* at ihe righl-hand suk of (he Xxnjjniciacc operator Wc can interpret the act of 
e £ | nations us malm multiplication. If V^j^de* of congruence are multiplied by the 
iriulliplic&Livc inverse of the firsi matrix\the result is the Viin.iblc matrix lit the n^lu 
hand side, which means the problem cin^p. solved by a matrix multiplication m 
slmwn in Figure 2,27. A 

— 0 

b i }IU re 2. 27 Se J hntu r fqiuiTiom 











"!■ 




m k 



ii_ Equations 




All 


^12 * ' 






j *1 1 








■ ■ 






"13 




' " 


■ ■ 




















■ 

— 


■ 


- 
- 




_ 
■ 




r 




V 






- 
■ 




■ 


- - *m 




■ 




i 








* 

If* 


a w2 





-1 
















a 




■ 


P 


5k 





b- Inicrpmation 



c. Solution 



Example 2 r 3S 

Solve the scr of following three equations: 

3x+-5v+7z = 3fmod \6\ 
j + *y + I3z ^ 5 (mod I ft) 
2i+7y + 3* a4{mod 16) 



A, SECTION 2.6 KEY TERMS 47 

Here x % and z play the roles of x Xr * 2 , and ij, The mairis formed by the set of equations is 
fhvHtiWe. W C find the multiplicative invert of the matri* and multiply ii by the column matt i * 
fotA^UtOTD 3, 5, and 4 The result ts x = I 5 (mod 16), yw 4 (mod 16). and z al4 (mod 16). We 
ran tmjfcfr iht answer by inserting these valuta into the equaiinns. 




X) MM ENDED REAPING 

For more dci^about subjects discussed in this chapter, we recommend" the following 
books ami siltfrQTie sicrm enclosed in brackets refer to ihe reference list ut the end of 
Ok book. 



B<M>ks ^ 

Several books give an kit thorough coverage oi number ihrwy including | RnstXi], 
|SdiQ4] v fCoii99I, and pf\>6Q|. Matncc* ate discussed in any book ;ihoui linear ;ilge 
bra: [LKF04), IDK04], anet fJJ^ifl^J are good teats \q start with 

' te Allowing websites gjve tnnre^formannn about topics dijicuttwid in this chnpku 

In ip://c n wik ipcdta orgAviki/l-^K lukan» *d£jp »thm 
hltp^/en.wikipcdia.org/w^ki/M 
hltp://en.wiUir^jaA>rfi/fl^flci/Addiuw unie^e 

o 

— ^ 



YWhSitrs 



2.6 KKY TERMS 

additive inverse 

binary opentfion 

ctilumn matn\ 

congruence 

congruence operator 

determinant 

divisibaluv 

Euclidean algonlhm 

extended HuL-lidran algorithm 

greatest common divisor 

identity matm 

integer arTiKmcUc 

least residue 

1 1 near congruence 

linear Diophanlinc cxntation 



rnodnE2r arithmetic 
modulo o^nnur Unoii'i 
moduEws V * 

muiliplkitivc^^|fse 
relatively prime \s 
residue 

row main it 
scalar 

set of integer*. £ 
square matrix 



48 



;.7 Sjp 



XJMMARY 

□ The sct^cjj^tegers, denoted by Z, contains aD integral numbers from negative 
infinity to^iilivc infinity. Three common binary upenrtions defined for integers 
urc additionr^blracuon, and multiplication. Division does not fit in this category 
because U pro^tf^es two outputs instead of one. 

□ In integer arithTtftjc-. if we divide a by n, we can get q and r. [lie relationship 
between these foV^ie^crs can he shown as a = q x n + r Wc say a|b if a = q x n. 
We mentioned four^rgperlies of divisibility in this chapter, 

□ J^n positive intent rvcrm # have more than one common divisor But wq arc nor- 
mally interested in the Veatwt common divisor, The Euclidean algorithm gives an 
efficient and systematic tfpjf to calculation of the greatest common divisor of two 
integer ^\ 

-I The extended Euclidean ai^orf^in can calculate gcd {a, b) and at the same; time 
calculate the value of i and / to^ptisfy the equation as + ht - gcd (a. h), 

□ A linear Diophantine equation o&fyo variables is ax + by = c. It has a particular 
and general solution. ^ > 

□ In modular arithmetic, we are tnlcre^fo^only in remainders; we want to know the 
value of r when we divide a by n. w ^^» new operator called modulo operator 
(mod) so thai a mod n-r. Now n is ealjQDrhe modulus; r is called the residue. 

U "fhe result of the modulo operation With modules n is always an integer between 0 
and. We can say that the modulo operation^ates a set, which in modular arith- 
metic is referred to as the set of least residues ^Jjulo n, or Z„. 

□ Mapping from / to Z H is not one-to-one. Lnfin^ynenibers of Z can map to one 
member of Z n > In modular arithmetic* all uitegcrs/tR Z thai map to one integer in 
Z n are called congruent modulo n. To show that iwViniegers are congruent, wc use 
the congruence operator tj\ 

□ A residue class [a] is the set of integers congruent mctibW n. It is the set of all inte- 
ger?; such dial x~a (mod n\ Q 

□ The three binary operations (addition, subtracuon, and miX^licaiion) defined for 
the set Z can also be defined for the set Z n . The result may tjeed to be mapped to 

using the mod operator, ^ 

□ Several properties were defined for the modulo operation In this copter 

□ In Z n , two numbers a and b are additive inverses of each other if a ^fa= 0 (mod n), 
They are the multiplicative inverse of each other if a :<b=] (mod nJrThc integer d 
has a multiplicative inverse in Z„ if and onJy if gcd (n, a)=l(a and n arc relatively 
primc) r 

□ The extended Euclidean algorithm finds the multipb'eative inverses of b in Z n when 
n and b arc given and gcd (n, b) - I. The multiplicative inverse of h is the value of 
t after being mapped to *L n . 

□ A matrix is a rectangular array of / x m dements, in which / is the number of rows 
and m is (he number of columns. We show a matrix with a boldface uppercase let- 
ter such as A. The element is located in the rth row and ;th column. 



SECTlQtfZ E PRACTICE SET 49 

Two matrices art equal if they have the same ti umber of rows and columns and the 
corresponding elements are equaL 

U^ddition and subtraction are done only on matrices of equal sizes. Wc can multiply 
matrices of different sizes if the number of columns of the first matrix is the 
as the number of rows of the second ma pis. 

□ matrices, all elements arc in Z flr All operations or residue matrices arc 

done>cfu^odular arithmetic. A residue matrix has an inverse if the detenu ™m of 
the rnDKM has an inverse, 

the fprrn ojc m £* (mod n) may have no solution or <t ] united nu 1 1 iV?^ i 
of MifuuortSpf gcd (a. rt)\h. there is a limited number of solutions. 

A set of ime^quauons with the same modulus can be solved if the main* formed 
from the coeffivir)iiN of variable* has an inverse. 




2.8 PRACTUrKJftKT 

Review Questions O 1 

1. Distinguish between Z n Which set can have neprtivc integers? Il^w eai] we 
map an integer in Z to an imager in Z^? 

2. List lour properties of dirisir^Wy discussed m this chunicr Give an uueaer with 
only one diviso, G.vc an iflgftjU only iwo divuo*. Give an b.cgcr ,L m L 
than two divisors, 

3. Define the greatest common divisorj^two integer* Which algorithm can effec- 
tively find the greatest eomnton da vi 

4 What is a linear Diophantinc equatjon^of^o variables? How many solutions can 
such an equation have? How can the soWfcopi s) be found? 

5 What is the modulo operator, and what ii^i^applictUion? List all properties we 
mentioned in this chapter for the modulo tj£$cVafion_ 

6. Define congruence and compare with equality. O 

7. Define a residue class and a least residue. 

3 What is the difference between the set Z n and the scit^*? In which set does each ele- 
ment have an additive inverse? In which set does eacb^ment have a multiplicative 
inverse? Which algorithm is used to rind the muJtiplic^Uv^l^crse of an integer in Z n r > 



9 Define a matrix. What is a row matrix? What is a columrv^uix? What is a square 
matrix V What type of matrix has a determinant? What type of matrix car have an 
inverse? 

10. Define linear congruence. What algorithm can be used to solve an equation of type 
ax s b (mod n )? How can wc solve a set of linear equations? 

Exercises 

1 1 Which of the following relations are true and which are false? 

5|26 3|I23 27 4127 15<2I 23196 8|5 



CNA PIER 2 MA TU ttj* TICS OF CR YPTGGRAPti Y 

12, Using the Euclidean algorithm, find the greatest common divisor of the following 
patrs of infesers., 

;j. KKand22tf > 

b. 3fX.) :ind 42>T 

c. 24 and 32(1 

d. -101 and7(Xl VL 
M. Solvr the folbwing\^ 

n. Given gcd U, h) - Z^Hmd gcd (a, h, 16). 
b Given ficd («* b, c) - 12? fii*ti gcd (a, b t e + 16) 

Kind gcd (2{KMB0 s j^ 
(L Find gcd (200. 180,450,^1, 

14 r Assuslh- lln;ii n is a m>nnc^LiviMil££trr. 

a. hind j^t J (2>t + 1 , n). x 

b. Using ihc rusuh of pan a, £liitr<ged (201, 100), gcd (SI, 40), and gcd {501, 
250). O 

15, Assume lhai /r is a nunrtcgaiiYc intcger.^x* 

ji Find gcd (In + I, 2* + I). O 

b. Using the result of part a. find gcd < 301 , > imd gcd ( 1 2 1 , 8 1 >. 

Id. Usinj; the cxlcndwl luclidean algorithm, find dic>yreate*l corntnon dLvism <it ik- 
following pairs and Ihe value of jc and t. *4\J^ r 

a. 4 and 7 ^ 




b. 291 and 42 
if i M anifolO 

d. 400 and 60 

17. Find the results »f the following operations. 

a. 22 mod 7 
h. ] 40 mod I Q 

c. -78 mod 1 3 

d. U mod 1 5 

IS. Perform the following operations using reduction first, 
at. f273 + 147) mod 10 

b. (4223 + 17323} mod 10 

c. (148 14432) mod 12 

d. (2467+461) mod 12 

19. Perform the following operations using reduction tirsL 
& (125 x 45) mod 10 
b. (424 x 32) mod 10 
l. (i44x 34) mod 12 
d. (221 x 23) mod 22 



0« 

o ■ 



o 



SECTION 2. U PR A mC£ SET 5 \ 

^-£0. Use the properties of the mod operator to prove the following; 

• a. The remainder of any integer when divided hy 10 is the rightmost digit. 

The remainder of any inlcger when divided by 100 is die integer made ol ihe 
*0 I wo rightmost digits. 

c^he remainder of any integer when divided by Mm is the integer made of me 
*Wyc rightmost digits, 

2 1 We ¥T^j teen told in antiemetic thai the remainder of an integer divided by 5 rs the 
same Ss^toe renttiixkrof division of the rightmost digit by 5 Use die properties of 
the motWmcrainr to prove this claim. 

22. We have befrypld in arithmetic Ihai the remainder of an integer divided by 7 is iMc 
wnic tu» thc\emaiiKkr of division of ihc rightmost dign by 2. Use the propane* of 
I he mod opertfo) lo prove this claim 

23, Wc have been n\$Vi arithmetic that ihc remainder of an integer divided by 4 is the 
same as the reinai^Xri of lIivl&hw of the two rightmost digits by 4. Use the proper- 
ties of ihc mod opcr^rto prove this claim 

24 Wc have been Told m j^fimetie thai the remainder of on integer divided by 8 is the 
same a* I he remainder tsph*i*ioti or the rightmasa three digits by 8. Use the proper 
lies t>l thr hkhI operator Vt^lovc this, claim. 

25. Wc have been told in arithrWnc dial the remainder of an integer divided by 1> is the 
same a* ihe tenia inder of diQ^on of the sum of its decimal difjiK hy 9. In otlsei 
words, the remainder of dividing 6171 by 9 is the same as dividing 1 7 by 9 because 
6 + 3 + 7 + 1 = ] 7. Use the pronfjffos of the mod operator to prove this eiaim. 

26. The following shows the rcmaind^p^f powers of 10 when divided by 7, We can 
prove that the pattern will be rept^ietH^r higher powers. 

10° mod 7= 1 I0 1 moc^t 3 I0 2 mod7~ 2 
10 l raod7^-J I0 4 mod I mod 7 = -2 

Using the above mformaiion. find the remauytef ol an integer when divided by 7 
Test your method with 63 J 453672. JC 

27. The following shows the remainders of powers V 10 when divided hy 1 1 We can 
prove that l be pattern will be repeated for higher flbwers. 

I0°modll=3 lG S modll=-l I^inodlH^K ifr 3 mod 1 1 ^ - 1 




Using the above information, find the remainder of an irf^er when divided by 1 1 . 
Test your method with 63 1453672. 

28. The following shows the remainders of powers of IQ when divided by 13. We can 
prove thai the pattern will be repeated for higher powers 

10° mod 13= I I0 J rood B = -3 It} 2 mod 13=^* 
ID* mod 13=-] I0"modl3= 3 1 0 5 mod 1 3 = 4 

Using the above information, find the remainder of an integer when divided by 13. 
Test your method with 63 1453672, 



CHAPTER 2 MA TH&ftA TICS OF CRYPTOGRAPHY 

4*. 




29. Let us a**T$n numeric values to the uppercase alphabet (A = 0. B = l + r , . Z = 25). 
Wc t:an n*Av do modular arithmetic on tins system using modulo 26, 

mod 26 in this system? 

b. What is (A*^?) mod 26 in this system? 

c. What is (Y -C^mpd 26 in this system? 

d. Whales (C -I OptDd 26 in this system? 

30. List all adrii live invd^ pairs in modulus 20, 

3 1 . List Li 1 1 multiplicative (^brsc pairs in modulus 20. 

32. Find the rnulliplk: alive Wf^rsc of each of the fallowing integers in Z fcS0 using the 
extended Euclidean algon^jAi* 

a. 38 y^S 

h .7 \^ 

€. 132 A 

VU 24 

33. rind the partKulajf and the jicncnd section* to the following linear Diophujisirie 



% 25*+ tty* 15 V* 

b. 19* + I3y-2Q 

c. 14* + 21y = 77 

d. 4(k+ 16y = 88 

a. J5x+ 1 2 v = 13 X 



34, Show that there are no solutions to the fullowin^-nnopj DiopliiinLme equations 



O 

post office sells only 39-ccnt and 1 5-cent stamps. FuMHhfe number of stamps a 
customer needs to buy lo put $2.70 postage on a package, a few solutions. 

36. Find all solutions to each of the following linear equations: * 
a. 3x £ 4 (mod 5) # 

h 4x = 4 (mod 6) 

c. 9* = 12 (mod 7) Q 

d. 2Mr a 442 (mod 60) 

37. Find all solutions to each of the following linear equations; 

a. 3x + 5 = 4 (mod 5) 

b. 4j + 6 = 4 (mod 6) 

e. 9i-h4^ 12 (mod?) 

W 231* + 42 = 248 (mod 50> 

38. Find (A * B) mod 16 using the marrices in Figure 2.28. 



SECTION 18 PRACTICE SET S3 



Fi gu rr 1, rtfrir nrr $ for £ifmjr 



x 




[3 7 10] 



2 





2' 




~1 ■! 


6' 




"2 


0 r 








1 1 


J* 




1 


1 0 








5 8 


3 b 




5 


Z 4 



B 



39. In PigS^.29. find the determinant aix) she multiplicative inverse of c'ad^tsiduc 



ii i.irriTL mvrf Z^ij, 



4 2 

1 L 
B 



1 .1 6 

I I K 

5 B 3 
C 



4a Fsnd all sulurmtis u» the 
a, 1* + 5y = 4 (mod 5) 

h li +2y = 5 (mod 7) 
4* + 6y = 4 (mod 7) 

c. 7.1 h Jy = 3 <mod 7 i 
4* + 2y e5 (mod 7) 
^d. Zr+ 3y = 5 (mod 8) 
x + 6y = 3(mod8} 




sets of linear equation*: 

v 

o 



n 




Traditional Symmetric-Key Ciphers 



Objectives*^ 

This diapterpea^roa survey of traditional symmetric -key ciphers used 
in ihe past. By ex (fining the principles of such ciphers, it prepares the 
reader for the next f<Jw chapters, which discuss modern symmetric-key 
ciphers. This chapter several objectives; 

U To define the ten] is the concepts of sy nunc trie- key c i pliers 
□ To emphasize the twt£^aieg<>ncs ot iraditioual ci pliers: subitum inn 
ciphers and mm* posh soft cyihers 

_l To describe the cate^oi ics Wciyptyndysis used to break tlie symmetric 
ciphers \ 

To introduce the concept of Rfe>stTeam ciphers and block ciphers 

To discuss some very dominafrt^hers used in the past, such as it 
Enigma machine 

The general idea behind symrneljic-kejQiphers will be introduced here 
using examples from cryptography. The ^ftns and definitions presented 
are used in all later chapters on symmetric-ke} ciphers. We then discuss 
traditional symmetric-key ciphers. These ciphers are not used today, but 
we study them for several reasons. First, tlu^vare simpler than modern 
ciphers and easier to understand. Second, they sffew [he basic foundation 
of cryptography and encipheonent: This foundation can be used to better 
understand modem ciphers, Third, they provide the rationale for using 
modern ciphers, because ihe traditional ciphers can be e&siiy attacked 
using a compuien Ciphers that were secure in earlier eras arc no longer 
secure in this computer age. 



J 

□ 



ic 



55 



CHAPTER 3 TRADfFf 




5 YMMtTRtC- KEY CIPHERS 



3.1 INTRODUCTION 

3 A shows thc^ge^enal idea behind a symmetric- Ley cipher. 



tric-fay cipher 




nlwiinlliin 




Stared 
*ccr*\ try 

Ciphcnesis 




f 



Ucnil key 



I'kCTypliDn 
olgonihrn 




In Psftiire 11, an entity, Alice, can send a inrvGyc so further entity. Bub. over an 
[[] secure channel with the assumption that an adversary. Eve, cannoi understand die 
conEcius of the message by h imply eavesdropping ovct ttpdmimd. 

The original message from Alice to Bob ifi ca])^lQuim«l; the message thai is 
sent through The channel is called the cipbmext. To cWe ihc eipheriexi from the 
plaintext, Alice uses an encryption algorithm and a ahHr^ccrei key* To create the 
plaintext from dphcncan. Boh uses a decryption *I^Uim/md the same secret key. 
We refer ta encryption and decry prion algorithms as ripher^ftJtey is a set of values 
(numbers) dial The cipher, as an algorithm, operates on_ UJ* 

Note that the symmetric-key coeiphcmieDi uses a single key $&Xry itself may be a 
set of values) for both encrypiion and deception. In addition, Ihc enc@tion and decrypt 
Hon algorithms are inverses of each other. If P is the plaintext, C is the civftrtexi and K is 
the key, the encryption algorithm E^} creates the riphcrtest from the plaintext; die 
decryption algorithm Dtfx) creates the plaintext from the dphertesL V?e M*ume thai 
E k (x) and D^j:) are inverses of each other they cancel the effect of each ottteV they are 
applied one after ihe other on the same inniiL We have O 

^> 

Encryption C = Etffl n w r. '£Z£s^2Z&te S 



: P ^ D 




f 



hi which, D^ C^-^CxftpI 



We can prove that the plaintext created by Bob is the same as the one on 
ice. Wc assume that Bob creates P| ; we prove that P|= P: 



ginaicd by 



AJku: C * E k (P) 



Bob: ?i = D t (C) ~ D k 



is bcllcr 



need 10 emphasize lhai, according 10 KerckhofTa principle (described later), U 
to make the encryption and decryption public but keep the shared key litem 




4*. 

SECTION J. / INTRODUCTION 57 

This means ihat Alkc and Bob need another channel, a secured one, to exchange the 
secret key. Alice and Bob can meet once and exchange the key personally. The secured 
-^antid here is the face-lo-face exchange of the key: They can also trust a third party to 
S^thcm the same key. They can create a temporary secret key using another kind of 
ci}>htr- - asymmetne-key cipher^vhich will be described in later chapters. The con- 
ccri^m be dealt with in future chapters. In this chapter, we assume that there is an 
cstabrfsjted secret key between Alice and Bob. 

Usi^ symmetric-key enctphermcnt. Alice and (tub cm use the same key for com- 
municautw^n the other direction, from Bob to Alice. This a why the method is called 
J.y in metric- 

Anulheiv*Wenl in symmetric- key enciphcrment is the number of keys, Alice 
needs anoJhcrycrct key to communicate wiEh another person, say David, [f there are m 
people in a gntfp)who need 1o commumcate with each other, how many keys are 
needed? The ansv^s (m x i m - l)V2 because each person needs m - I keys to com- 
municate with the rraffcf the group, but the key between A and U can he used in both 
directions. We will ^ mfaiier chaptm how this problem is being handled. 

Encryption can bcXth^ghi of as locking ihc message in » bo*: decryption can Ik 
moujilu ot as unlocking Vhe^ov In symmetric-key enciphcrment, the same key locks 
and unlocks as shown in H$*e ; 2 I ^iicr charters show Uuii the asymmetric -key cnei- 
phenncnt needs two keys. on(<for leaking and one U ir unlocking 

® 

Figure 3»2 Symmrtric hy enciphtpney locking and unkxkiny wtth the samr kxu 






KfiPckhoff^s Principle O 

Although it may appear that a cipher would he mote secure if we hide both the 
eticiypiion/deoypdoii algorithm and the secret key, klhs not recommended Based 
on KertkhoETs principle, one should always assume tQlhe adversary. Eve, knows 
the encryption/decryption algorithm. The resistance of BjAipber to attack must be 
based only on the secrecy of the key. Ia other words, guessing the key should he so 
difficult that there is no need to hide the cncryption/dco>-ption algorithm. This prin- 
ciple manifests itself more clearly when we study modern ciphers. There are only a 
few algorithms for modern ciphers today. The key domain for each algorithm, how- 
ever, is so large thai it makes it difficult for the adversary to find the key. 

Cryptanalysis 

As cryptrjrgraphy is the science and art of creating secret codes, cryptaiuilysls is the sci- 
ence and an of breaking those codes, [n addition lo studying cry ptography techniques, 



CHA PIER < TKADrntifat. S Yi4METRICKEY CIPHERS 

we ill so need tn^xly cryptanaiysis techniques, This is needed not to tweak other peo- 
ple s codes, but !o learn how vulnerable our eryptosysiem is The study of cryptanaiysis 
helps us create bci^secrei codes, There arc four commoa types of cryptanalysi* 
iit hicks, ms shown in FiW? 3 3. We will study some of these atlue^ on particular ciph 
in this and future chapt 



— — 9 



•o 



rrjptaciiJyu* 




KJiLiwiipluikicJil 



QKHcn-ckphoint 




i 'iphurtexi-f ttily Attack 

h ii eipherual uiily attack, Eve has access to otny^ome eiphertexL She tncs to find 
i he corresponding key and the plain mi The assumption is that E knows the algo- 
rithm and can mrcrcept the t iphenext The LipherteJU^nL^ attack is the most probable 
one because Eve needs only the ciphcrteM for this aitact^Ju thwart the decryption of a 
message hy km adversary, a cipher must be very resisting tiuju^type of Attack, lugtire 3,4 
shows die process, ^ 



Ft £ll rt K 5A r attack 



Alice 



+ 




CLpbcrtoii 



Various methods can be used in cipher? ex t-only attack. We mention some common 
ones here. 



frfircE Attack 

In the bnitf -forte method or ts^ustiv&4#V'Search method, Eve tries to use a] I possi- 
ble keys. We assume that Hve knows the .iiy odtbm and knows the key domain (the list of 



SECTION 3. 1 INTRODUCTION 59 



^al) possible keys). Using the intercepted cipher, Eve decrypts the ciphertext with every 
possible key until the plaintext makes sense Using brute-force attack was a difficult task 
In the past; h is easier today using a computer To prevent this type of attack, the nuiti- 
bwofoossible keys musi be very lame 

Simhmkl Attack 

The ct^ffi^alyst can benefit ffuni snmc inherent characteristics of the plaintext lan 
guage to l^i-h a statistical attack. Kor example, wc know that the letter F is the most 
frequently ii^l letter in Engli.sh text The crypLaruityst finds the mostly used character 
in the dphcnc^ind Climes th.it the corresponding plain test character is 11. After find 
wig a lew pairsWhc^jfialysi can find the key and use it to decrypt the message To pre- 
vent (his type orGirjjj-k, the cipher should hide the characteristics of I he language 

Pattern Amtk \$ 

Some ciphers mny hit^Hyharactrmucs of the language* tnit may create sonic pat 
icras m the ciphenext. ^mrtanalyss may use a pattrrn attack m break the cipher 



F hcrcfore. il ts importanl 

possible. 

kntm-n - Ptaintexs A Murk 



^. ^ — 

(frAuse dph 



er* lhat make the cjphortexl look a\ i nudum as 



In a known plmnttxt at lack, Lax has access to some pUimext/ciphcrtexi pairs 
m addition i<. the intercepted cipticrt<^*^t she wanis to break, as ahown in Figure 3.5. 

_ \^ 



t iftu re 3.5 Knznvn-piat nit u an&rk 



o 



A I ICS 




CipScrtuI 



9* 



I _h HUB 



El. b 



a 




o 



The plaintexLrciphertext pairs have been collected earlier. For example. Alice has 
sent a secret message to Bob, but she has later made the contents of the message public. 
I-ve has kept both the ciphertext and the plaintext to use them to break the next secret 
message from Alice to Bob. assuming that Alice has not changed her key. Eve uses the 
relationship between the previous pair to analyze the current ciphertext. The same 
methods used in a cipherlexl-only attack can be applied here. This attack is easier to 
implement because Eve has more information to use foi :in;i lysis. However, it is less 
likely lo happen because Alice may have changed her key or may have not disclosed 
the contents of any previous messages. 




SYMMETRIC- KEY CIPHERS 



Chosen-PinintpifA Hack 

The etaoscn-]ri&inVt'xt attack is similar \o the known-plainiest attack, but the plaintext/ 
ciphertext pairs havM>Mn chosen by the attacker herself. Figure 3.6 shows the process. 



Figure 3.6 Chnseri-pkur.vr^aitiirJL 



\ y tHf drilled frtttrl 
rbrkwrn plmnlr 






This can happen, for example, if Rvc haTa* ttcx\ to Alice'* computer. She can 
choose some plain teal and miertept the created apKertcxL Of course^ she dora not have 
the key because ihir key is normally embedded in ajy software u**d by the sender. This 
lypi; of Ltltack is much easier lo implement, hul li is. rauch.le.svs hkely to happen. 

Chosen -CipherttJtt Attack ^> 

The ehosen-cipheriext attack is similar to the chosen- pSa^xi attack* except that t- vc 
chooses some ciphertext and decrypts it to farm a ciphertexttolaintext pair This can 
happen if Eve has access to Bob's computer. Figure 3.7 sho«*mr process. 



*6 



Figure 3.7 Cjwstn~ciphs.rw.jct attack 



o 



Pair created: fmm 



A3 ice 



Ciphcrtcjil 



r < 






i 


| Ciphomi 

t— 1 





m 






■ 




■ 


5 


Y 


l 

l 









Cipbertrxl 



Categories of Traditional Ciphers 

Wc can divide traditional symmetric-key ciphers into two broad categories: substitution 
ciphers, and transposition ciphers. In a substitution cipher, wc replace one symbol in the 



1Z> SECTION j.2 SUBSTITUTION UPfiEfiS 61 

^iphcrtexi with another symbol; in a transposition cipher, we reorder the position of 
symbols in the plaintext. 




3.2 ^SUBSTITUTION CIPHERS 

A uibstili^n cipher replaces one symbol with another. If Ow symbols in the plaintext 
are alphabei^pharactcfv we replace one character with anouicr. For example we can 
replace teller £*,th lcttcr D. and letter T with letter Z. If the symbols are digits (0 (o 9) 
we can replaccrT^uh 7. and 2 with r, Substitution ciphers can be categorized a* cither 
tiionoalphapcticSi[ilK-r> ni po| yal p] who t tc aphcre. 



K> 



A ^tfMtosiimi l iplwfr rcpUces otle symbol with 11 Either. 



Mtmualptmbt'tic CiplWr> 

Wc tiiM discuss a group ot suB^jition ciphers called the inanoaJphab*ue ciphers, hi 
monoalphnbct.c substitution^ diaracte, (or a symbol) in the plaimext is always 
chanjial <o the same chancier (oWymboI) in the eiphertext regardless ut lti position in 
Ihc (cm. For example, if the aJgonikmay* that letter A in the plaintext is changed to 
tetter D, every letter A is changed to^^er D. In other words, the relationship between 
letters in tlic plaintext and the cipbertex^pi^ne-to-one. 

O - 

In monwilphabrtk ^bstitutioa, the ndmtiq^, hen, «n a symbol In ik plrinu^i to a 
symbol la li* ripherhc *i l^wayit une-temnt. 



^6 

Example 3. 1 O 

The follow!^ shows a plaint *>d ft ^resppixiiiig ciphcrtexi. Wc use low^a* charters to 
show the plaintext; w e U£ e uppercase characters to show ib£ cmhettexi The cipher is pr r>bab3y 
monoAlptiBbctic because both Ts (els) arc cncr>pie*l as O's, (T- 



Plaintext; hello Qph 




Example 3.2 

Hie fallowing ^ a pMotcxt and ll5 con^ponding cipto^L/LT* cipher b not moiioalpha 
b*K because each I (el) ,5 encrypted by a riiflernH charartrr The first I {clj is encrypted as N- ihe 
wcond as Z_ r 



ftaicitafe bello Cfcherteil: ABfOT 



CHAPTER 3 WAD^&^AL SYMMETRIC KEY CIPHERS 
Additive Ciph& 

The simplest iiumu^Jphabctic cipher is the additive cipher. This cipher is sometimes 
called a shift cipltA^sd sometimes a Caesar cipher, but the term additive cipher better 
reveals its maihcmS^ai nature. Assume that the plaintext consists of lowercase letter 
(a tn z), and thai thcC^hfrtexi consist of uppercase letters (A to Z), To be able to 
apply maihcmatkal options on the plaintext and ciphertext + we assign numerical 
values to each letter (low<^pr uppercase), as shown in Figure 3 S 

$k 

t'ljimlrU — > 




In Figure 3.8 each character (lowercase ^uppercase) \$ assigned an integer in 7^. 
I he secret key between Alice and Bob is alio Wf^iegtf in The encryption algorithm 
adds the icy to the plaintext characten the tkctyption algorithm subtract* the key from 
the ciphcrtext character. All operations are done Figure 3.9. shows the process, 



Figure 3.9 Additive cipher 



Alice 



PtuntAii 



C™ mod 3h) *"^-fl 



-J 



L'jphif^A" 




o 

We can easily prove thai the encryption and decryption are inverse tfTkach other 
because plaintext created by Bob (Pj ) is the same as the one sent by Alice (?A 

P l = (C^Jt3mod26-{P + Jt-*)rnftdc26 = P 



When the cipher is additive, iht plain I en, clph^rlest, and key ar* integers hi 
Example 3.3 

Use (he additive cipher with key = 35 us xxKiypt the iti«,«gc "hot Jo" 
Solution 

Wc apply tHc encryption algorithm to ihc pi ami mi, character by character 



■ 



SECTION 3,1 SUBSTTTUTJON CIPHEHS 63 

^Plaintext h -+ 07 Encryption (07 + 1 S) n**! 26 Ciphcrtcst; 22 -4 W 

% PJaimeji: a ^ 04 Eooyptoa;C04^15)nKxi26 Qphert^t 19#T 

^ntest: [ -> f l EiKsyptioo: (11 -r 15) mod 25 Ciphertoxt DQ W A 

FTfjatat: 1 I 1 BKfyplictt; (1 1 + 15) mod 26 CiphcrtexL 00 ~f 



P] afctfcit: o -* 14 Bneryptiotii (14+15) mod 26 Ciphcrtext: 03 -* D 



The re?,iit^ ' J WTAAD fc \ Note that ihc cipher u nKmoalphahctic bccauiw twu itissancc* of the 
s^ainr p.J :nnt^) Juoictar (3 V) are encrypted u the same character (A), 

[ \c the adJlihvc ytp^;t with ke> - 15 r.~ dcer>^ (Ik- mc*upc ""WTAAlJ" 
Vthilinti 

We apply ihc ojm\p£fr^|onthm to the plmtDtcxt chanielcr by character : 



Ciphertexi w -+ 22 De*yptk»: (22 - L5> mod 26 



■™ . ■ > a # . ^ ^ Plaim**!; 07 b 

Ciphcutext: 1 ^ 19 V . I*oypAk*i: {19 - 1 5> mod 26 Plaintext; 04 ^ c 

Cipfafte*irA,-*m. ^\ UtsciyptkffliCOQ- li)nwd2e Plaintext: U -H 

Ciphnrtex t; A 00 Xpcoyptot: (00 - 1 5) mod 2ft Plaintext: 1 1 -H 

Ciphcroxt: I> -> 03 ^>q^m:m-n)T^U Pkiatexi: 14^ o 

The result is "hello* Nolc Lh&t the offiluon ii in modulo 26 {we Chapter 2). which means thai a 
negative result needs to be napped lo (for example - 1 5 become* 1 1 ). 

Shift Cipher ^ 

Historically, additive ciphers arc called shificbhers. The reason is thai the encryption algo- 
rithm can be interpreted as "shift key characbhKJovh n" and the encryption algorithm can be 




intcrp^iLd lls \hift kry character up 1 For e^tfafinle, if the key = 15, the encryption ;tlgo- 
rithm shifts 1 5 characters down (toward the mdTdrthe alphabet). The decryption algorithm 
shifts 15 characters up (toward the beginning «fc1®atphab«). Of course when we reach 
the end or the beginning of the alphabet we wrap ar@id I mariilestauon of modulo 26). 

Caesar Cipher 

Julius Caesar used an additive cipher to communicate wjjEkhts officers. For this reason, 
additive ciphers art sometimes referred to as the Cacsax^jp|ieTV Caesar used a key of 3 
for his communi canons. 




AddiEm ciphers are sometimes referred to as shift ciphers or Caesar cipher 
Ctyptanalysis 

Additive ciphers arc vulnerable to cipherteat-only attacks using exhaustive key 
searches (brute-force attack^}. The key domain of the additive cipher is very small; 
there are only 26 keys However, one of the keys, zero, is useless ( the ciphcrtcxt is the 
same as the plaintext). This leaves only 25 possible keys Eve can easily launch a bnitc- 
forcc attack, on the uiphertc*t 



CHAPTER! 7EAD 




Exam pi 



AL SYMMETRIC-KEY' CIPHERS 



Bve has inicrcepiiulJJic ciphextnt "LTVACLYFZiJ B Yl."\ Snow how she can use a bnite^forcc 
attack Hi fittnk chc ¥iphpr. 

n J™ (S> 

bve trie «t keys From 1 kfTWth a key of 7. the plaintext is "m* wry secure", which makes sense 



K 




K 


my 


K 




h 


=7 



faai ii rfQCverYiccurc 



Additive ciphers arc alsu subject lo sttA$tical attacks, This i& especially true if (he 
adveirtiry has ft kmg ciphcrtext. The adve&uy can use the frequency of occurrence of 
characters for a particular language. Table &^tow« the trequcnev for an English text 
of I (KJ characters. 

Table 3, 1 Frequency of occurrence nfleiten in an S^/mfc Frit 




However, sometimes it is difficult to analyze a cipbencxt based nifty on information 
about the frequency of a single letien we may need to know the occinr^e of specific 
letter cornbi nations We need ro know die frequency of two- tetter or thre*@tier strings 
in the cipbertext and compare them with the frequency of two^etter orvr^c letter 
strings in the underlying language of the plaintext. < 

The most common two-letter groups (digrams) and three- letter groups (trlgram.s} 
for the English itxi are shown tn Table 3,Z 

Table 3.2 Grouping of digram* and mgrwns bused on their frequency in Enttish 



1 1 

1 




•. 




Digram 


Til. HE. IN, ER. AN, RE, ED, ON + ES, ST, F.N. AT. TO. NT r HA. Nl.} h OU, 
EA, NG, AS, OR, U IS, FT, [X AR, TE, SE, HI. OF 


Ingram 


THE, INC, AND. HER. ERE. ENT K THA. NTH, WAS, ETH. FOR, DTH 



A. SECTION 12 SUBSTITUTION CIPHERS 65 

\ 

Eve has mtettrpicd the following ciphcrterL Using a statistical attack, find the plaintext, 
XL^YWINIWRSAJS VWEPUSViSYVQMPPMSRHSPT^VWMXM WAS V X-LQSV1LY 

r0> vva-iJsvixijwirpivviGiMZiwQSVisjJTvw 

Solution >? 

When Eve tiA^Ait^ the frequency of letters in uik cipheriext, slv get,*: I =14, V =1.1, S ^ 1 2. anil 
so on. The nra(^mmon chAracfef is I with 14 occurrences. This shows thai chnnur^r [ in ihe 
cjpherrrat prLShal^^niropoFKfr to the duraclcr c in ptmititc&L This means key = 4. Eve deci- 
pher* [he test to £*T w 

^ ■ M | l , i , 1M , li ,, l , 

[lie hoiuc ts now f^-mk lor fnttr mil) ton dollars h Is worth mart harry before the- seller 

V>> fr cei vei itCTfroffett 

Miiitipficaiivt Ciphers 

In a multiplicative dphcrX^ encryption algorithm specifies multiplication of the 
plaintext by tlx: key and the dc^puon algorithm specifier divi&ion Of the riphcrtext hy 
ihc key as shown in Figure 3 JtLtfcwcvcr, since operations jut in Z^. decryption here 
means multiplying hy the multiplicative inverse of the key. Note that ihc key needs to 
hclong in the set SEjj" to gtuu^tceM&iai the encryption i .in ,1 .It-i-rvpLinn arc 3 n verses of 
each other • > 






In, a multiplicative cipher, the plaintext and dpbertett are integers Ln Z^; the key 

is an integer to V 




is ihc key domain for any multiplicative Ciphn- n 
Solution 

The key needs ta be in Z^MIns set hu only 12 members: 1.3, 5, 7, 9 + 11, 15. 17, lft 21. 



CHAPTER jf TRA d/^&NAL SYMMFTR !C- KEY CIPHERS 

Example J.STZ^ 

We use a miilupScntjvc cipher 10 encrypt the message "hello" witis a Vcy of 7. The dphertext is 

O 

Plaintext: h 07 ; r\) Bqjfl ygd p fti t^x 07) mod 26 



Plaintext; e -+ 04- 
Pittinttart: 1 I ] 

Plniiii£xt; a 14 



cipfcerlext: 23 X 

CiptsCItBSCtL D2-* C 

dphcruzt: 35 -+ Z 
dpbenext; 20 H> U 



^Ijp^f jic Cipher 



Encrypt iarc (11 x 07) mod 2>& 
pm: (14x0?) mod 26 

Wc can combine the Additive andvf^Etiplic alive ciphers to get what is called the nfline 
t iphar — a combination of both cipbto Willi a pair of keys. The lirei key is used wiih 
I lie multifile itivc cipher, the sccono^k^ is used with the additive cipher. Figure 3. 1 1 
shows thai the afFme cipher is actual I ySwa cipher*, applied one after another. We could 
have shown only one complex opcrauonfforahe encryption or decryption such as C = 
(P x A ; + k 2 ) mod 2 6 and P = (fC - k 7 ) x J mod 26. However, we have used a tem- 
porary rc-sult (T) and have indicated two aqjarrij^jpenihon* to show thai wEkikvct we use 
a nombinauon. o| cipher we should Ik sure thji one ha* an inverse at the other side of 



the! line and that they are u.saJ in reverse, order in 
is the last operation in encryption, then subtraction 




on and ducrypiion l! addition 
d be the fire! in decryption. 



l L "i^u re 3, 1 1 AJjin? t'lpher 



PllIiEllUE 



key 



1'lflJJJtCJU 

i 

P 



1 — * : 'CS 



o 

key I r-ft 



Bob 



■H E *i i V> t - _ i 



o 

— G 



hi the affinc cipher, the relationship between the plaintext F and the cipfetfcxL C is 



jneftext 



whew iff fs the- miiiTipticafJv* rowsfttifAy auri-^ i* rjr^bdi&tvti save-re nf tej 




Example 3,9 

Trie afTrntr cipher uses a pair of keys in which the first key is from Z^' and the second is from 
The sire uf the key domain is 26 x 12 = 312. 



t. section 3.2 suBsrmrnoN CIPHERS €7 



^Exampk 3.10 



Use <an zffme cipher to encrypt the message liello" with the key pair {7. 2). 

Motion 

Wc v^ 1 for the multiplicative key i^d 2 for the aikhu vc kcv. Wc get "ZFL13BW , \ 
p h Encryption: (07x7 + 2> mod 26 



C: 




C ~"T\) HrjcrjTtiw (W x 7 + 2) mod 26 CD4^E. 

^ I 1 1 Vv % Encryption: (11x7 + 2) mod 2<S C 01 — * B 



P:o-H4 BlKr>Tidotj:(I4x7 + 2)mdCl26 C 22 -+ W 

Example J. I / vp 

U« Ihc aflu* cipher tU^rypt ihc tnciMgc "ZBSW ^vith ihc key pair (7, 2) in nwUuJun 2tt. 



Sol II 



Add Ac aJdmvc mvroc ofY 1 = 24 (mod 26) w ibe iweiwdapheriext Then multiply ihcrc*ult 
by the muliiphcalivcinvene fT 1 - 15 i.m.y! 2ft) m rind ihc plumcxt character*. BecauNe 2 hsui^ 
an addiUve inveiM m fcj 6 tn d 7^ a multiphcahvc inverse in . the plaintext in e* Belly what 
wc U.J.-J tn Example 3. 10. 



P;Qf7-*h 
p;04 



C: 2 "* K D<J§Lro; ((25 - 2)x Turned 2fi 

JGB>- » 0J Dacrypti%)U0l - 2) xT'lrand 26 P:1J -H 

C: w -» 22 Decryption: («2t- 2)ic T ( ) mod 26 p ; (4 

Example 3J2 



The additive cipher is a spec*] case of an affinc cip^rj), wtuch t, = I . The multiplicative cipher 



is- h special ease of a/fine cipher in which fc> = 0. 



o 



Crypfimiily'm of Ajjfme Cipher 

Although Ihc brute force and statistical method of ciohertc^t-only attack can be 
used, let us try a chosen-plaint i attack. Assume thakFve intercepts the following 
nphertext: Q 

PWUFFOGWCHFD W] WEJOUUN JOR5NfDWRHVCMWJ(j^vcCG 



Hve also very briefly obtains access to Alice's computer and has only enough time 
to type a two-letter plainest, "cl". She then tries to encrypt the short plaintext using 
two difTerent algorithms, because she is not sure which one is the affine cipher 

Aigbrilhjii J: Plaintext: ct cj-ptjenr^t: -* WC 
AJgnrilhm 2: Plaimcs.L ei ciptHirTcir- — ^ Wj^ 



CHA PTER Jf WADS^QNAL SYMMETRIC KEY CIPHERS 



To find «^ key. Eve uses the following strategy: 

Eve know^that i F the firsi algorithm is affine. she can construct the Fo! lowing two 
equations h^^l on i he first data set. 



04 



02 



(CW if in + JU J i 22 <mod 26) 

(19 X i, + k 2 ) ^02 (iwmI 26) 

• • ■ ■ ■ * ■ ■ ■ 



As we Learned in ChiJjW 2 T these two congruence equations can be solved and the 
values of *j and cni(^: found. Hwwever* this answer is not Acceptable because 
k t - 16 cannot be the finjKfaiit of the key Its value, 16, docs not have a multiplica- 
tive inverse in Z^p. ^ \ + 




22 
I 



22 



16 
10 



live now incs Ihc rexull of I he scunid^&t of data. 



1 



M-p22 



mj^xJt| + ^l » 2/1. mod 23) 



i -+ ki\ a 05 <mod 26) 



The square Minx and its inverse me the same. Npw she has A] ^ II and k 2 = 4. 
This pair is acceptable because k j has a multiplicative inverse in Z^*. She tries the 
pair of keys (19, 22), which arc the inverse of Lhcjui^l 1, 4), to decipher ihf. mes- 
sage. The piatcstcxt is 



bey 




Ebo year is spnaR when 




frivnwitphabeiic Substitution Cipher 

Because additive, multiplicative, and affinc ciphers have small ke^Stamains, they are 
very vulnerable tu bruie* force attack, After Alice and Bob agreed to a single key, that 
key is used to encrypt each lencr in ihe plaintext or decrypt each letter iruht eiphertcxL 
tn other words, the key is independent from the letiers being transferrer. ^ 

A better solution is lo create a mapping between each plaintext chapter and the 
corresponding ciphertext character. Alice and Bob can agree on a table s^ojwing the 
mapping for each character, Figure 3.12 shows an example of such a mapping. 



Figure 3.12 An example kxyfor mwuxilphabttic substitution cipher 



A 5BCTTONJ.2 SUBSTITUTION CIPHERS 69 

^Example 3 J3 

# Wc can use the key in Figure 3. 3 2 to encrypt the message 

v^) Ou? message is easy io encrypt but hard 1o find the key 

I "he npkjfftexl i* 

^riCFYQRV VNKFV Kft V SlYRG AHSLIOJICNHTI YB KJTICRX R5 

The isii^c of the ky^Apaee for the inonoalphabetic substitution cipher is 261 (almosi 
4 x 10 M ). This mrin a brute-force attack extremely difficult for live even if she is 
using a powerful inrnp^cr However, she can use statistical attack based tin the fre- 
quency of characters, Nic&phcr uVs not chaagc the frequency of characters. 

^ 

Hie jLiuiKuilpJutKiii- l-j |j tir ryrf^i t nol change the fT^tjuiMicy of characters Id the t iphi i ii \ i , 
wrhu'h maktaym^d phcr^ YuJnemhle to stilkfietJ attack* 



Pi i] va Ip h ttbtr I i c 1 ? i ph u 



tiers • ^ 

In [Ml? alphabetic substitution. cacWtocurrcnce of a character may have: u different 
substitute. The relationship between ^(enaracter in the plaintext to a character in the 
ciphcrtext is one-tr>many. For example. QF' uould be enciphered as A *D" in the begin- 
ning of the teat, but as "N" at the middle alphabetic ciphers have the advantage of 
hiding the letter frequency of die underlying j£)|giiage. Lve cannot use single-letter fre- 
quency statistic to break die cipheric.u. J 

Iti create a poly alphabetic cipher, wc ndrdjo make each ciphertcxl character 
dependent on both the corresponding plaintext ckaracter and the position of the plain- 
text character in the message, This implies thai oin(kcy should be a stream of subkey s b 
in which each subkey depends somehow on the posi(jon of the plaintext character diat 
uses that subkey for enciphermeDL In other words, warteed to have a key SErearn k - 
{k v k 2 + ij, . r _) in which is used to encipher the rth chara^ier in the plaintext to create 
the rth character in the ciphertexL 

An Oik?) Cipher 

To see the position dependency of the key, let us discuss a simple poly alphabetic cipher 
called the aulokcj cipher. In this cipher, the key is a stream of subkey s. in which each 
subkey is used to encrypt the corresponding character in the plaintext. The first subkey 
is a predetermined value sccredy agreed upon by Alice and Bob, The second subkey is 
the value of the first plaintext character (between 0 and 25), The third subkey is the 
value of the second plaintext. And so on. 



CHAPTER .? mWlTS^iAL SYMMETRIC Kr.Y CIPHERS 

\ 



"2 P 3 



c= 




i 



Eflo^fdOftt<£>= (Pj + Jt^ mod 26 



Decryption: =(€3 - ■ *,) mod 26 



plieied iltfl'crcmJy. 



Plainiexi 


ft 


1 


1 


a 




P'li Vafuev 


00 


19 


19 


i« 1 


nz <fi> 


Rev n(kmui 










130 


C'"* V:ilii' - 




14 


12 


I? 


02 12 


Ciphenext: 


M 


T 


V] 


T 


£ M 



* 


< 


0 


.1 


a 


y 


IS 


19 


M 


0.1 


in:- 


24 








f4 


03 




00 


1 [ 


7 


17 


09 






L 


II 


R 


1 1 


V 



The name of I Ik- !fWr, mtvkcy* uri^hcs thai ihc subkeys are automatically created 
irom the plaintext ciphe^^iracters during the encryption process. 

Example 3+14 (S^ 

Asftuinc Ehar Alice and Boh a&re^to use an aiiioLcv cipher wilh tmtinJ Ley value *| - 12. Now 
Alice wnnb ici send Bob ihc Tnnuij^'AltAck i\ today H Enciphering is done uhanmtcr hy charac- 
ter, liaeh charnctcr in ihc plaintext Yv fa* replaced by its integer value w shown in Figure J r B, 
The IviTii subkey is tidded To cteaie ih^lim cipherlejit character. The rest of the key U created as 
the plnmJcxt charaeiej* arc read Note m^) the dphet & polyalpfubcdc became the three incur- 
rences of "■" in the pJmnlc&l ate cncrypt^lC^JTeicMikv. The ihrce occurrences oj ihc r are cnei- 

>' . 

> 

% 

The autokey cipher definitely hides the single- letter X^uency statistics of the plain- 
text. However, ii in still as vulnerable to the brote-forcc^rack as the additive cipher. 
The first subkey can Ik only one of the 25 values < t tu 2© Wc need poly alphabetic 
ciphers that not only hide the characteristics of ihe Iacgii3£(^u[ also have large key 
domains. N ^Tr\ 

Ptoyfair Cipher V\J 

Another example of a pol y alphabetic cipher is the Ftayfair dpberSt4d by the British 
army during World War I. The secrei key in this cipher is macks of ^alphabet letters 
arranged in a 5 x 5 matrix Offers I and j arc considered the same vthgrn encrypiing). 
nt1h;rx:rit. LUTangements of the letters in the matrix can create many different secret 
keys. One of the possible arrangements is shown in Figure 3.13. We have dmpped the. 
letters in the matrix diagonal] y starting from the top right-hand comer, SxS 



Fi £U re 3. 13 An example of a .tecn-f key m. the Pltiyfmr riph 



Srcrel Key = 



L 


0 


D 


Pi 




Q 


M 


H 


L 


c 


U 


R 




L-l 




X 


V 


psn 


n 


K 


/ 


Y 




T 


P 



SUCTION 3.2 SUBSTTTUTHW CIPHERS 71 

Before encryption, if the two letters m a pair arc the same, a bogy* letter is m.v :ricd to 
separate them. After inserting bogus letters, if the number of characters in the plaintext is 
odu\xjw extra bopis chancier r A adiji-d ac she end to make the number of characters even. 

TrTj£^iphcr uses three rules for encryption: 
a If & 4"o letters in a pair are Located in the same row of the secret key, the corre- 

spoh^j^cncrv'pled character for each letter is the next letter to the right in the 

same with wrapping to the beginning of the row if the plaintext letter is the 

laM cha i(\}cr m ihc row)* 

h, If the two (Sfters in a pair are located in the same column of the scerei key, the cor- 
responding ^rypted character for each letter n the letter beneath it in the *ajne 
column (widfwpafiping to the beginning nf the column if ihc plaintext letter U the 
last characlcr iMjccolumn). 

c* If the two Irltcrs xfi a pair arc nol in the same row or column of the secret, Ihc cor- 
n-Aponding en^pldJdutracler for each letter is a letter that i* in its i»wn row but 
in she same column jQihe other letter. 

The Playfair cipher ti\^r«i pur criteria for a polyalphabetic cipher. The key is a 
stteaw of subkeys in which Eh£%ibkcys are crcaieri two at a time. In Play fair cipher, the 
key Mieain ,!MhS ihc cipher stre^ai^ the same. This means that the above- mentioned 
rules can be thought or as the roller creating the key si ream The cncrypiion algo- 
rithm takes a pair of character* from the plaintext and creates a pair nf subkeys hy 
loll owing the above mentioned rulta? We can say that the key stream depends on the 
position of the character uj the plaimcxjUPosition dependency has a different inter- 
pretation here: the subkey for each p!a{nj)cxt character depends on the next or previ- 
ous neighbor. Looking at the Playfair cmt^r m this way, the Liphcrtext is actually 
the key stream, ^ q 




Example J. 15 



IjX us encrypt the plaintext "hello" using the key Ln Figure 3AlWhen w c group she letters in 
two char.k:[er pah** we get ,l hc. II. o". We need n? insert an x h(nX:en the two V$ (els) eivine 
"he. Is. Jo". We have Q 



he -+ EC br -* QZ 




PJaintest bcEo Gpoenexc CCQZBX 



We ran sec from tins example thai the cipher actually a pofaalpftabetii: cipher: the twn 
occurrences ol ihe tenet T" (cl) arc ertcryptcd as "Q" and "IT. 

Crypiaimlysis of a Fiayfojr Cipher 

Obviously a bra le- force attack on a Ptayfair cipher is very difficult. The size of the key 
domain is 25 f (factorial 25). in addition, the encipherment hides the single-letter 



CHAPTER 3 TRAV&IONA I SYMMETRIC KEY CIPHERS 

\ 

frequency e&^the characters. However, the frequencies of diagrams are preserved (to 
some ex ten [^because of filler insertion), so a crypifinalyst can use a ciphertext-onty 
attack based ojjjbic digram frequency rest to find the key. 

V 

nerr Cipher* 



One interesting kind^ r*>ly alphabetic cipher was designed by Blaise tEe Vigenrtc, a 
siateenlh-ecniury 1-renlJ^airKTniatici^ srNslcgy 
creaic ihe key stream KwJiey stream is a repetition of on initial secret key stream of 
length m H where we ha%cQsfim £26. The cipher can be described as follows where flt ti 
j^p £ m ) is- the initial sccYcjXey agreed to by Alice and Boh. 



Encrypt Inn: f ' p - 



Decrypt^: Pj n? G — h 



One important difference bciwqc>1hc Vigencrc cipher and the other two puty- 
alph&bctic ciphers we have looked at. is^ut ihe Vi^iencre key stream docs not depend 
cm the plaintext characters; it depend^oply on the position of the character in the 
plaintext. In other words, the key strearVr^rt he created without knowing what the 
plaintext is, 

Example 3J6 



1x1 us see how we can encrypt the message "She is 
"PASCAL The initial key stream is (t5. 0, IS. 2,0, II 
niHi al key si ream (hk many times as needed). 



i ins;" using the ^-character keyword 
key stream i\ ihe repetitinn tif this 



Plaintext: 
P s s values: 
Key simun: 

C*S values: 
lertcxt: 



5 



h ' e 



IS 
07 



or? 04 n& 

IS 02 



it 





07 


< 3 ■! 


10 






U 


W 




K 


S 






Vigerterc cipher can be seen as combinanons of m additive ciphers, Figure 3.@btjows how the 
plaintext of the previous example can be thought of as six different pieces, eachv^trypeed sepa- 
rately. The hEiure helps us later understand the crypianaJysis of Vigenerc ciphcrSV There are m 
pieces of the plaintext, each encrypted with a different key,, id mafc«i m pieces <rf ciphertext. 

Example 3JS 

■ 

Using Example 3.1 a, we can say thai the addidve cipher is a special ease uf Wgcncrc cipher in 
which m — I . 



Vijteiit rt' Tableau 

Another way to look at Vigenere ciphers is through what is called ,i Yjjienere tableau 
sht>wn in Table, 3,3, 



SECTION 3.2 SUBSTITUTION CIPHERS 73 



A Vfcenenr cipher as a combination of m additive lipiters 



Whole PtimteH 

EE 




L< ISJ W K S IV 



1 libit 33 4 I'r^vfi* v tableau 









.- 1^ 


4 


■* 


• f 


|f fa 


> 




A 


D 


C 




r 


P 


0 K 


1 


ft 

m 


u 


V 




■ 
J 


■ ■ 


G 


ii 1 


t 






i ■ 


i 

t- 


1 


• 

VJ 


1 1 


1 J 


K 






H 


H 


U 


H 


1 


J * 


i. 


t- 


a 




G 


i[ 


I 


J 


K L 


M 


F 


F 


G 


H 


1 


1 


X 


L M 


N 


3 


G 


31 


1 


1 


K. 


L 


M N 


O 


ir 


II 


1 


J 


K 


L 


M 


H O 


P 




1 


.' 


K 


L 


* ■ 


N 


O P 






J 


K 


L 


M 


N 


O 


p o 


R 


A" 


K 


I. 


M 


SSI 


0 


P 


Q R 


S 


X: 


L 


M 


N 


o 


p 


Q 


K 5 


T 




Jtf 




a 


p 


V 


R 


5 T 


LI 


■V 

— •- i 


H 


0 


p 


Q 


H 


S 


T U 


7 




D 


i a 


0 


R 


-V 


T 


U V 


W 




l ; 


U 


R 


S 


T 


U 


V w 


X 




Q 


R 


S 


T 


i_: 


V 


W X 


'-. 




R 


5 


T 


U 


V 


w 


X Y 


z 




S 


7 


U 


V 


w 


X 


v z 


A 


r 


T 


U 


V 


w 


X 


Y 


z \ 


B 


i" 


v 


V 


w 


X 


Y 


?. 


A B 


C 


V 


V 


w 


X 


Y 


Z 


A 


B C 


D 




w 


X 


Y 


2 


A 


B 


c V 


E 


X 


X 


Y 




A 


h 


C 


D £ 


F 


T 


Y 


t: 


A 


B 


c 


D 


£ F 


G 


Z 




A 


R 


C 


D 


B 


F G 


,4 



jJ ^T f r .jr. a ft p' q r > 



Q R 

H 1 



!' 

P 

y 

R 

5 
T 

U 



Y 
Z 
A 
Fl 
C 
l> 
F. 

r 

d 
? - 
i 



p 
Q 

R 
S 
T 

V 

V 

w 

X 
Y 
I 
A 
B 
C 

P 
E 
F 

0 
H 
I 

i 



Q 

5 

T 



R 

S 

r 

U 
v 



ft 

s 
I 

u 
v 



If 

V 

w 



w x 

X Y 



¥ 

A 
B 

C 
D 
E 
F 



Z 
A 

B 
C 
D 
E 
F 
G 



0 H 
M 3 

1 J 
J K 
X L 



V 
■A 

X 
Y 
Z 
A 
B 
C 

n 

E 
F 
G 
H 

I 

jc 

L 




S 
T 
U 
V 

w 

X 
Y 
Z 



Y 

^ 

A 

B 

C 

0 

E 

f 

0 

M 

5 

J 

L 

M 



i 

v 

m 
x 

Y 
Z 
A 
R 



5 T 

T g 

V V 

V w 
w X 
X Y 



Oa r 

a ^ e 



B 

0 

E 
F 

a 

H 

i 
j 

K 

L 



D 
E 
F 
G 
H 



Li 



Y 
Z 
A 
! : . 

C 
D 
3. 



Z 
A 

n 

c 

D 

E 



F y*k IE 

72 



J 

K 

L 



G 
H 

E 

I 

i 

L 



J PC 

K L 

L M 

M N 

14 M O 

M M O p 

W N O P Q 

H O P Q R 

f ] P Q R JS 



V 




>■ 




1/ 


£*: 


U 


V 




X 


v 




V 


V\ 


X 


Y 


Z 


A 


w 


\ 


Y 


Z 


A 


II 






Z 


A 


Ii 


C 


¥ 




A 


B 


c 


, , 


z 




H 


c 


D 


EI 


A 




f; 


P 


b 


H 


H 






fi 


F 


G 


C 


1 ■ 




P 


G 


U 


D 


1: 


i 


G 


H 


1 


L 


1 


g 


H 


1 


J 


> 


Q 


H 


1 


J 


K 


G 


H 


1 


J 


K 


L 


H 


1 


J 


K 


1 


M 


1 


J 


--. 


L 


M 


M 


J 


K 


T 




N 


G 




1 


M 




0 


P 


L 


y 


N 


n 


P 


Q 


M 


N 


G 


P 




K 


N 


O 


P 


g 


R 


S 


G 


P 


'.' 


R 


S 


1 


P 


Q 


R 


S 


T 


r 


Q 


R 


$ 


T 


ir 


V 


R 


S 


1 


u 


V 


w 




T 


r- 


V 






T 


U 


V 


W 


X 


Y 



CHA FTER .7 fKA OB^gVA L SYMMETRIC- KEY CIPHERS 

The Jira^w shows the plaintext character to be encrypted. The first column 
tains the characters to he used by the key. The rest of the tableau shows the ciphcrte*t 
characters/To hm^he ciphenext for the plaintext "she is listening" using the word 
"MAOU." as lhe4j^ we can find in the Hr^t row, 7^ m the first column, the (TOW 
section is the uplift character W\ We can find h" m the first row and "A" in the 
second column, the c^^sectjon is the tipberTcxl character "W. We do the same until 
iill riphertexl ehanicicf<'|re found 

Cryptmalyxh trf \%gen*J$:ipkm 

Vi^cncrc ciphcis, hke all jxC^Whaheuc ciphers, dr. not preserve the frequency of char- 
BCters; However, Eve still caSf^e some techniques io decipher an intercepted cipher- 
I ext. The cry plana lysis here ctu&sis of two part*: finding ihe length of the key and 
fi luting the key itself ^.A 

1 . Several nicUiods have been lb vug to find the length of the key. One method i$ dis- 
cussed here hi Ih* so-called KjL^^tcst the eryptanaly*! searches for repeated text 
st^rncnts. of al least dure character^ yi the eipbertext .Suppose thai two of tltesc 
segments are found and the disWtf^'cen them is d. The cryptanalysl assumes 
Eluii dim where w is the key length If j<oiY rc|jeaicd segment* can be found with dis- 
tances d u d 2 . then gcd {d v d v -<T^b)/m. This assumption is logical because 

If two characters are die same and m A (i = L. 2 ) character* apart in the 

pLiiiiitcai. they are the same and k x m cliaj^i^ .ipart in the ciphencxt. Crypijuudyst 
uses segment* of nt least three characters to y&id the cases where the characters in 
the key arc not distinct Example 320 may heJpusto understand the reswon. 

2. After the length df the key ha* been found, the c^Lwalytf uses the idea shown in 
Example 3, 18. She divider the ciphertext inM rfj\lffrerem pieces and applies the 
method used to cryptanalyze the additive cipher, inching frequency attack Each 
ciphertext piece can be decrypted and put together to create the whole plaintext. In 
other words the whole jSpheneu does nut preserve mc^ingle- letter frequency of 

" " *6 

Let us assume we have intercepted the following ciphertext: sK 

LlOM WGFE GOD V WG H HCQUOtHRWAG W|0 WQLK^LEIXKME V LWPCZVOTH- 
VTS^XQOVG CS V OTQLTJS UM V W VEUVLXE WSLGFZMY V WtGY^U SWXQH- 



the plaintext, but each piece docs. 
Eiamp{* 3.19 




VW V V*' J W t XGFWLTS] 



i 



vucrvGowiajLTis uxcjlw 

l*he K-usiski test for repetition of three-cluaraaer segment* >ields the results shown irnahle- 3.4. 
J j Me 3.4 Kmis ki fen far KiampU $, !9 



Siring 


f irst Indrj. 


Second fttfifj 


Difference ., 


JSU 


68 


I6S 


100 


SUM 


69 


1 17 




vwv 


7Z 


I3Z 


60 


MPH 


U9 


127 


8 



SECTION X 2 SUBSTITUTION CIPHERS 75 

The grealest common divisor of differences h 4 b which mean* thai she key length is multiple 
of <r Fust try m - 4, Divide the nphertext into four pieces, Piece C| is made nf characters I r 5. 9, 
.^LPiccc C2 is made of characters 2. 6. 10, , . > ; and so on Use the statistical attack on each piece 
wp)uWly, Inicrleavc the decipher pieces one character at a tune to gel the whoJc plaintext, [f I he 
plnMmit doeA nm make sense, irv with another m. 

i JixmjdLpy±iir *tvarht*ich i hytrahci Lhca rrehe 



3 J 4 



i <i .rtfPjpafcft i «rr tcup i <j < pwt e th&ca the es ft er*c n p r; 



In this cue, the plaintcM nu^eS jenue. 



JulitLs i iHflr used a rrypUtimFm in hi* miv, which b now rTierraJ iu lls t "ursaf cipher. 
It is nn additive dphcr wCftL^c- kcjr let id three. Each character in the plaintext is 

tiiiflrd tnt«una.rpclers (m ft.uU- riphrrteM, 



Mil Cipher 



\5 



II 




T 


M 


t 


1 



ot a poly&^abcuc dpftcr the Hill cipher invented by 
lister S. HilL Unlike the odicr poly a] phytic ciphers we have already discussed, the 
plaintext is divided into ctpjal-sizc blocks /l^ic blocks arc encrypted one at a time in 
such a way that each character in the bloc^okntnitcs to the encryption of other char- 
acters in the block. For this reason, the HilNcujhcr belongs to a category of ciphers 
called, block ciphers. The other ciphers we sttXftca so far belong to the category called 
steam ciphers. The differences between block at®iirearn ciphers are discussed at the 
end of this chapter ^ 

In a Kill cipher, the key is a square matrix of sue m x m in which m is the size 
of the block. If we eaj] the key matrix K. each element ^the marrix is as shown in 

O 



Figure 3. 1 5. 



Fi gu re 3. ] 5 AYy in ^ HUi nphfr 



4 




CHAPTER! TRADfTf 




SYAf METRIC KEY CIPHERS 



us shotfliow one block of the ciphertext is encrypted If wc call the m 

tcrs in the plaintext block Y^. R> the corresponding characters in the ciphertext 

block Eire C|, Then we have 

V 

4^1 *L m + * ---4 " ■ 

The equations show lhcit\C^li tiphertext character such as C| depends on fill 
plaintext characters in the block Wj>^2. P^). However, we should be aware that not 
all square matrices have mulupHea^&c inverses in Z25. so Alice and Bob should be 
careful in selecting (he key. Bob will^oi be able to decrypt the ciphcrtou sent by Alice 
il (he matrix does ikH have a multipli&urVc inverse. 



"Hie kev iTiJilri\ In the Hill dpher>tf<£tli tu hjtftr m tiiulLjptit-jEtve iro 1 



Using m si rices allows AJict to encrypt the whole ph(niexL tn this case, the puuiuexi ts an J x m 
mama hi wluch fi* die number of blocks For cxwnpk/fE* pJuntcsE 'VixJr u ready" can nuike a 
3x4 uiulm when suitling "in* boflu* character "7* to She hue block an J nrmuvuig, the sp-iees, 
The dphertext iji w OJ IKNIHGKUSS 41 . Bob can dcti vpt [ift luggage uimg the invert uf the key 



Fi^u re 3.1 6 Example 3. 20 



o 



14 


07 


Lit 


til 




U2 14 © 04 


OH 


tn 


06 


ii 




OS 18 1? CM 


11 




IS 


is 




00 03 24 23 
















! 


p 






C 


02 


14 


03 






]4 07 IQ 13 


08 


IB 


17 






08 ff? 06 It 


00 


in 


24 


25 




ti m its is 



02 21 u CaL 



09 07 
CW 07 



13 2t 



i 1 

15 

09 
17 



1C* 

15 22 

00 19 
09 03 
00 04 



□3 

03 
LI 
07 



o 



Crypianalysis of HUi Ciphm 

Ciphcrtext-only cry 'pt analysis of Hill ciphers is difficult. First, n bruie- force attack on a 
Hill cipher is extremely difficult because the key is arj m x m matrix. Each entry in the 
matrix can have one of the 26 values At first glance, this means thai the size nl the kev 



sechon 3.2 suBsnrnrioN ciphers 11 



> domain is 26 m * " However, not all of the matrices have multiplicative inverses. The 
^ key domain is smaller . but still huge. 
* Second, Hill ciphers do nor preserve the statistics of the plaintext. Eve cannot run 
t^wpnej' analysis on single Setters, digrams, or Engrains. A trequency analyst of words 
oft^ ,„ mj^ht work, but this is very rare that a plaintext has many .string* of size m 
thal^ri} the same. 

]>^how-eA er, cqn do a known- plain text attack on the cipher if she knows the value 
of m aifftkitLiws ihc plaintcxt/ciphertext pairs for at least m blocks. The blocks can 
belong tflilfe some message or different meumges but should he distinct Eve can e rente 
lw<l r?J :t <^nces. T (plaintext) and C (cipherlcxt) in which the corresponding rows 
rcprcst-nr iit*0.r T . -s : mg known plaintcxt/ciphertext pairs. Because C = PK„ live 
enn use the rcWfKhip K = CP -1 to find the key if P is invcrtihle, ir P te not invert! hie. 
then five needs to^c a different set of in plaintext/ciphcrtext pairs, 

(f Eve does noYknow the value of m. she can try different values: provide! rhut m t\ 
not very large, ^ 

Example 3.21 y** 

Assuror that Eve km™ ibat^l 3. She has urcrccpu-a tW pluntnt/eiphatcM pan blocks (nai 
nnressunly from the &anie ro&Apek as shown in Figure l 17 

— — ^ 

Fig ure 3. 1 7 Example JWjj^ ^ ctpherieu apher 

[OS 07 10 ► [03 06 00 

[ll 17 07] *~Y^ ► I u 



[ 



DO 03 04 
P 



] 



o 



[03 17 II 

C 



She makes matrices P and C from Okm paS/C^Ki^ysc F is ievcrtibk. she inverts the F 
matrix Liricl multiplies il by C to get die K. maoii as sh©K in Fieure 3 J 8 

. — - — £ 

Figure 3, 18 Emmphr J. 22 T jfrutif;£ tAe jfce? • 



0: 


03 


or" 




!~2J 


]4 


of 




"03 ^ 


do" 




07 


09 




00 


OS 


25 




M W 




01 


02 


11 












M 17 






K 








p - 1 




iq 





Nov* she has the key and can break any ciphertexE encrypted with that key. 
Qn&rJtm* Pad 

One of the coals irf cryptography is perfect secrecy, A study hy Shannon has shown 
mat perfect secrecy can be achieved if each plaintext symbol ist encrypted with a key 



CHAPTERS 77?4 DfTfl 




L SYMMETRIC KEY CIPHERS 

randomly ehostSS-Hrom a key domain. Bar example, an additive cipher can be easily 
broken because Hie same key is used to encrypt every character. However* even this 
simple cipher can fc&pf&e 1 perfect cipher if the key thai is used to encrypt each char- 
acter is chosen randt^ from the key domain (00, 01* 02, „,„ 25)— that is. if the firat 
character is cncryptedFi^ng the key 04. ihe second character is encrypted using the 
key 02, the third charaatj^Jf; encrypted using ihe key 21; and so on. Ciphertext only 
attack is impossible. OlhBHypes Of a I lacks arc also impossible if the sender changes 
the key each lime she scndiQyJnessage, using another random sequence of integers. 

This idea is used in a ca(^):r called one- lime pad, invented by Vernam. In this 
cipher, the key has the same len^trxas the plaintext and is chosen completely in random. 

A one time pad is a perfect tipper, but it is almost impossible La implement com- 
mercially. II" the key must be new<£tt;ncrased each tune, how can Alice Jell Bob the 
new key each time she hits a incssji^e^ send? I towcvcf. there are some occasions when 
a one-time pud can be used For exanlt^. il the president of a country need* to send a 
completely secret message to the pcesjtfem of another country, she can send a trusted 
envoy with the random key before ^dinjMj>4 # rn£5\3Ee, 

Some variations of the one lime ptufcMkcr will be discussed in later chapters 
when modern use of cryptography is introduced^ 

Although one-time pud ciphers are not practical (^k step toward more secured enei- 
phcrment is the rotor cipher. It u^c^ the idea behuij rnuncmlphah^uc Mibstitution but 
changes (he mapping between die plaintext and die eipi*eite\t characters for each plain- 
text character Figure 3.19 shows a simplified example of^Etotor cipher. 



Ftgll re 3. 19 A rnior cipher 




RtftGT 



Aflcr second 



After Tlrtt 



InjtLil 



o 



The rotor shown in Figure 3.19 u.%es only 6 letters, but the actual rotors use 26 tet- 
ters. The rotor is permanently w-bed, but the connection to encryption/decryption char- 
acters is provided by brushes. Note that the wiring is shown as though the rotor were 
transparent and one could see the inside. 

The initial setting (position) of the rotor is the secret key between Alice and Bob. 
The first plaintext character is encrypted using the initial setting; the second character 
is encrypted after the first rotation {in Figure 3.1° at 1/6 turn, but the actual setting is 
1/36 turn); and so on. 



-2 SUBSTITUTION CIPHERS 79 



^ A three-letter word such as "bee" is encrypted as "BAA" if die rotor is stationary 
(the men i alphabetic substitution cipher), feu it will encrypted as "BCA" if it is rotating 
dbq^oKir ; plK-r) This shows that the rotor cipher is a polyalphabetic cipher because 
twbWurrences of the same plaintext character are encrypted as different characters. 

WcrotOT cipher is as resistant to a brute-force attack as the rnonoalphabetic substitu- 
tion c.^r>ecai.w Eve sail needs to find the first set of mappings among 26' possible 
ones, nie^or cipher ]S much more resistani to statistical attack thwi the rnonoalphabetic 
substitutio^phcr because it docs not preserve lem-i rre.iuriH v 

Enigma Mac! 

TTie Enigma iriW^me was originally invented by Shcrbius, but was modified by the 
German army *ji offensively used during World War II. The machine was based »n 
I be principle of rotwT ciphers Iigurc 3.20 shows a simple sclicmahc diagram u | rtu- 
machine. Vi* 





The following hste the main components of the machine: 

A keyboard with 26 keys used for entering the plaint when encrypting and for 
entering the ciphertext when decrypting, Q 

2. A Jampboard with 26 lamps that shows the cipheriest christens in encrypting and 
the plaintext characiers in decrypting. < 

3- A plugboard with 26 plugs manually connected by 13 wires. The configuration is 
changed every day to provide different scrambling. 

4 Tlirec wired rotors as described m the previous section. The three rotors were cho- 
sen daily out of five available rotors. The fast rotor rotates 1/36 of a him for each 
character entered on die keyboard. The middle rotor makes 1/26 turn for each com- 
plete turn of the fast rotor. The slow rutor makes ]/26 turn for each complete turn 
of the middle rotor. 

5. A reflector, which is stationary and prewired. 



CHAPTER 3 TRADm^A L SYMMETRIC* KEY CIPHERS 
Code Book ^ 

To use the Enigfuir^nachine, a code bock was published that gives several settings fur 
each day, mdutbrte^ 

a. The three mtorSrloJKi chosen, ont of ihc five available ones. 

h. The order in whiolutte rotors air Lo be installed. 

c_ The. setting for the frf^l>nairl 
d. A three -lciicr code oNjcj day. 

Procedure far Encrypting a fyhnzage 

To encrypt a message, the operaj^followcd these steps: 

I Set the starting pew in on ot g*\rotore to the code of the day. For example, if she 
code was ta HUA*\ il\c rotor* *te initialized to"H t, i M U"\ and '"A H . respectively, 

2. Choose a random ilirec -letter ewW such as m ACF\ Encrypt the text "ACFACT" 
f repeated code) using die initial sattin^ of rotors in step 1 1 For example, assume the 
encrypted code is "OPNABT" . \ 

3. Sci the starting pti&itkms of ihc roiort^OPN (half of the encrypted code). 

4. Append the encrypted six letters obtain^!* from step 2 ("OPNABT") u* the begin 
nitig of tile message, 

5. Encrypt the menage including the fcktn-r {^Je Send the encrypted message. 

Pr&atdure for Decrypting u Message • . 

To decrypt a message, the operator followed these zfc&k: 
I k Receive the message and separate the first six lert^iT 

2. Set the starting position of ihc rotors to the code of © day. 

3. Decrypt the first six letters using the initial setting iriyitp^ 2. 

4. Set the positions of the rotors to the first half of the decked code. 

5. Decrypt the message (without the first six letters). 

Cryptanalyxis J( 

We know thai the E nigma machine was broken during the war + although the German 
army and the rest of the world did noi hear about this until a few decades later, The 
question is how such a complicated cipher was attacked. Although tM > £iernian army 
tried to hide the internal wiring of the rotors, the Allies somehow ubUdn^G^ome copies 
of the machines. The next step was to find the setting for eaeli day and th^eWe sent to 
initialize the rotors for every message. The invention of the first computcRrftclped die 
Allies to overcome these difficulties. The full picture of [he machine and its crypianaly- 
sis can be found at some of the Enigma Websites. 



3.3 TRANSPOSITION CIPHERS 

A transposition cipher docs not substitute one symbol for another, instead it changes 
the location of the symbols. A symbol in the lirst position of the plaintext may appear 
in ihc tenth position of the ciphertcxL A symbol in the eighth position in the plaintext 



£ SECTIONS J TRANSPOSITION CIPHERS ft] 

\ 

^gnay appear in Lhc first position of the ciphenexL. In other words, a transposition cipher 
reorders (transposes) trie symbols. 




A frHEispositkin cipher murders symbols. 



;]ns posit ion Ciphers 

Simple traraDusinon ciphers, which were used in the past, are keyless. There arc two 
methods foi Y^utaiion of characters. In the first method, the text is written into a 
table column Kj^toSumn and then transmitted row by row In the second method, the 
text is written tnt^ne table row by row And then transmitted column by column 

Example 122 ^\ 

A good example of a key^ciphcr u%wg the Hr*t method t*. the mil fence riphcr tn this cipher, 
the plaintext is Arranged in^pfc'linc* a* a zigzag pattern (which means column by column); Lhe 
dphcrtHE tit created re^ing\he^aitcfn row by raw. Fbrewnptc. to send the mcsu^c "Meet me 
at the part" co Bob, Alice write* v 



c in /T\ i i « a . k 

^ ^ ^ A \\\F I ^ ^ \ A >j A \ ^ 
e I t i hue 

She the* creaies the ciphenejtt "MI^\OrfEAKiriT;THPR" by sending lb** Iir^i mw fol* 
Lowed tiy the second row, Bob receives the tinhtfir.ii and divider it in half (in this case the sec- 



ond tutf lui% tine Irs* character ) Tire- first half fdrftuLthe first raw , the seamd half; the socon.l row 
Bab reads the result in zigzag. Because there LvWkey and the number at' rows is fixed (2). [fie 
eryrxanalysis of ti>e dphcrtejct would be very casytj^Bvc. All she nct-ds to know ™ rlmr rhe r =-i 1 9 
fence cipher is used 

Example 3*23 

Alice and Bob can agree on the number of columns and usejhe s^und mctfaod. Alice writes the 
same plaintext, row by row, in a (able of four columns. 



m 


e 


L t 


m 


e 


a t 




h 


% P 


a 


r 


k 



She then create* the eipbertext ^^iTAEEIiREAHKTTP 1 ' by transmitting the character* 
column by column. Bob receives the ciphericst and fallows the reverse process. He writes the 
received message, column by column, and reads it row by t^w \k the plaintext, live can easily 
decipher the message if sbc knows the number wf columns. 




CHA FTER 3 TRADl'iWtfAL SYMMETRIC- KFi' CtPHERS 



m 

01 



03 

I 
05 



03 
I 
09 



13 



i 

10 



I '3 



03 



1 
07 



4 
11 



12 


13 


14 15 


I 


i 


H i 


15 


04 


m 12 



lhc cipher in Eaiffnpjc 3 23 is actually a transposition cipher Ihc following shows toe permuta- 
tion of each choriic^TTkjfit; plaintext into the ctphenexi based Da ihc positions 

rhe second chnraclcr in ibe RWLntcit his moved iu rtw nflh praihon in the ciphcricTt, rhe 
third character has moved to the mrrX^OMtion; and so cm. Although the character* are permuted, 
there is a puTlrin irk ihc pcjTrtuuilJon SftfjO^ 13}. COT, 06. 10. I }), (03. 07, 1 I , [?>. und 10*. 
12). In ouch wetiuii, ihr ililtrrcnre Ixltfec-Alhc iwo adjacent number* is 4. 

Keyed 1 Va ti_s [h >s i Lion Ci phc rs ^> * 

The key less cipher* permute the charactefvlfy using writing plaintcxl m utie wny (mw 
by mw, for example) and reading il in EuicHjwrVay {column by column, far example) 
The per mut a lion h done on the whole pi arnica t tti create the whole ciphcrie&t. 
Arnnhcr method is to divide the plaintext into, groups of predetermined *i?x\ called 
1 1 locks, and then use a key to permute the characiQw in each block separately. 



'•6 




Example 3.25 

Alice needs to send the message "Enemy attacks tonight™ to^b. Alice and Bob have agreed to 
divide ihe text into groups of five character ami then pcrmutf (^character* in each group. The 
foJ lowing showi the grouping alter adding a bogus character aj uV/rrid to make the last t^ruup tJiu 
sum if M/r, as Ihc Qtbm 




The key used for encryption and decryption is a permutation key, vt^jch shows how the 
character an; permuted, For this message, assume that Alice and Bob used theJbS lowing kcyi 

O 



Hiicrypcicm I 



3 


1 


■; 


5 


: 


1 


2 


3 


4 


5 



Decryption 



The ihirti character in the plaintext block becomes the first character in the ctphcrlcxt block; 
the first character in ihe plaintext block becomes the see^nd character in the ciphertext block; and 
so on. The f permutation yields 



















t 



















Alice sends the tipliericjrf fc TEMYNTAACTrX0N5I [ITZG^ 10 Boh. Boo divides the cipher 
teat imo S<:iuLnu:ttr groups and, using the key in the reverse order* funis the plaintext. 



- 



^Com billing Two Approaches 



SECTION 3 J TRANSPQSmOH CIPHERS BJ 



•Mtjrc receni transposihun ciphers combine the iwo approaches lo achieve better 
>H*^>hn£. Rncryption or decryption is done in three steps. First, the text h wriilcE 
intertable row by row. Second, (he permutation is done by reordering the columns. 
ThiriM)^ new tabic is read column by column. The first and third steps provide a 
^Jrsy^.hnl reordering. :!v second step provides a block wise keyed reordering, 
These tj^jifc of ciphers are often referred to as keyed columnar transposition ciphers 
or just cokmmai transposition ciphers, 

Example 3,2 fr^) 

StlppoK Alice n^nTenciphera the mexsage in E* ample 3.25. this lime iniug ihc combined 
approach The encrxfApn and decryption is shown rn Figure 3-21. 

& ■ — 

Figure 3*21 Example ffi? 



A lir e 



I'.M 




M 



Wine row 




ii i. 



r * c Jk jt t otf-'i 



i. * 1 

1 S I 


* c 
o a 
i : * 




f O 


£ t > 

T A ^ 
T K t 

H 1 1 


4 ¥ M 
K C T 
> N 5 
Z G 



SUnhJ iuw by iuw 







a 


i 


1 


rn 




ft 


r 






:i 




I 


I 


i 


D 


n 


L 


I 


h 


1 


i 






E 


8 




V 


ft 


T 


A 


■ 




c 


T 


T 


K 


O 




S 


H 


1 


T 


z 


G 



Wntc^crfumn by column 



Ci 





■1ST 








firs! tabic is created by Alice wnung the plaintcst row by row. The columns are per- 
mmed using the san>c key as in she previous example. "The ciphcrtcxt is created by reading the 
second table col Limn by column Bob docs the same three steps in the reverse uruer, He writes the 
ciphenexL column by column into the first lahle, permutes the column*, and then reads the second 
uihte row by row. 

Keys 

Tn Example 3.27, a single key was used in two directions for the column exchange: 
downward for encryption, upward for decryption. It is customary to create two keys 



CHA PTF.R 3 TXADmGmL SYMMETRIC-KEY CIPHERS 

from this grapffiSal represepnation: one for encryption and one For direction. The keys 
Lin: stored in tablfts with one entry fur each column. The entry shows the source column 
number; the destrr1<5}cm column number is understood from the position of the entry. 
Figure 3.22 shows htiwthe two tables can be made from the graphical representation of 
the key, 



Kigurtt 3.22 FMrnptirin/dJ^piitm k*yx in transporilwrtnt ciphers 

— ® 



In i-v | -hi i kr> 1 t V^) - 




J 4 



-1 



5 
5 



I tt 3 1^3 4" 



The encryption key is (3 I 4 5 2). "f^ir fipsi entry «ihows that column 3 (content*) in 
Ihc source becomes column I ^position of the entry) in the destination. The 

decryption key is f 2 5 I 3 4} The tir^i cniry(£hWs fhsrt column 2 in the soling becomes 
column I in the deshruuion. (\ 

How can the decryption key be created Uk^e encryption key is given, or vice 
versa/ Hie process cms dorse manually in a fw^Jeps, as shown in higure 3,23. First 
iidd indices to [he key table, then swap the contend and indices, finally sort the pains 

according to tiic index. • > 

— 4* ■ — 

I'i^une 3.23 Key inversion m * transposition i tplvr 



L iiLTypHJon key 



2 & 3 1 4 



j 



4 13 5 7 2 6 



j- 





6 


3 


1 


4 


7 


5 


1 


7 


3 


4 


- 


t- 


1 


t 


_ 




4 


5 


& 


7 


2 




?, 


1 


A 


} 


5 


4 


t 


3 


5 


1 


2 


t 


\ 


2 


1 


l 


5 


6 


7 




Sen 



vMla (; 
index -4— Indict \ 1 



index 



O Manual pf-ocess 



b. AJgccilhrn 



Using Mairices 

Wo can use matrices to show the encryption/decryption process for a transposition 
cipher. The plaintext and ripherteKt are I x m matrices representing the numerical val- 
ues of the characters; the keys are square matrices of size m x m_ In a permutation 
matrix, every row or column has exactly one 1 and the rest of the values are (Vs. Encryp- 
tion is performed by multiplying the plaintext matrix by ihc key matrix to get the 
ciphertcxL mairbt; decryption is performed by multiplying the ciphertext by the inverse 



SECTION 3 J TRANSPOSITION CIPHERS S5 



^Jtey matrix to get the plaintext matrix. A very interesting point is that the decryption 
^matris in this case is the in verse of the encryption matrix. However, there is no need to 
invert the matrix, [he encryption key matm can simply be transposed (swapping the 
roA^nil columns) to get the decryption key matrix, 

Ii.Tatf$eJ.27 

Figure iy^jUhi^ws the encryption process. Multiplying the 4 x 5 plaintext malm by the 5 ft j 
eEicrypiiuiQ^y give* The t x 1 ciphen* x t matrix Mamx manipulation requires changing the 
characters inrifrunplt 3.27 to their numerical value* (from 00 to 25). Now thai the matrix multi- 
plied ion imitfkpymly ihc column permutation of the transposition; Tending m<\ wnhny mm ihr 

vided by the rett of ihc ol^irrithrn. 




— 

figure 3.24 Ktpfttr^uTion vf thr key tti a mutm in thr tmns f to. juion cipkit 



CM 


13 


tw 


12 


on 


19 


19 


00 


ID 


IK 


t$ 


14 


m 




CT7 


19 




04 

0"? 



lit 
us 



12 

14 
IM 



21 

02 
13 
25 



13 
l 'J 

Iff 



" \ 

Crypiuntftysii afTrattsp&sititin Ciphtrs 



rypti«?n key 

^ 



Ciphers *t 



o 

NPI. 
rveraJr 



Transposiiion ciphers ore vulnerable to sem^ind* of ciphertext-only attacks. 
StaJurital Attack 



*6 



A transposition cipher does not change the frc^utftu} i>f letters in the ciphertext; it 
only reorders the letters. So the firsi attack that ten be applied is single- letter fre- 
quency analysis. This method can be useful if the Jength of the ciphcrtext is long 
enough We have seen this attack before. However, [reposition ciphers do not pre- 
serve the frequency of digrams and tngrams. This meap\that Eve cannoi use these 
tools. In fact if a cipher does not preserve the frequency q^UUgtams and trigrarns, but 
does preserve the frequency- of single letter?, it is probablc^Sat the cipher is a trans- 
position cipher. 



Brute-Farce A ttack 

Eve can try all possible keys to decrypt ihe message However, the number of keys can 
be huge (U + 2! + 3! + - + £,!}. where L is the length of the ciphcrtext A belter 
approach is to guess the number of columns. Eve knows trial the number of columns 
divides For example. 1 1 the length of the cipher is 20 characters, then 20 = I x 2 x 2 x S. 




CHA PTER 3 TJtADm&mL SYMMETRIC KE) CIPHERS 



This means the^fdmber of columns can be a combination of these Lectors (1.2, 4 p 5, 
10. 20). Howcver*thc first (only one column) is out of the question and the last (only one 
row) is u ral i kel v. 

v 

hxtimpie 1.2$ Q 

Suppose that Eve has inEcirttipu she cipbertext mettage 'TiEMYNTAACTTKONSHnVXr "["he 
message length ^ - 20 means ateyi umber of columns can be I „ 2. 4 t 5* ID. or 20. Rve ignores The 
first vahwr hecan^c it merm* nnNonr column jmi rat permutdtiuti 

ft, If liic number of cdum™ c<nly rwo pairnilncions arc (1 . 2) and {2, I). The fir*( one 

mean* there would be no pr-.K^Xnwa Bve tries the second an*, live divide* tlie ciphertexl 
into twivchfiractcr unit* U> EE M^XV AA CT TK ON Sll IT '/X i" She ihen tries to permute 
each uf thene getting M w yrn nt uMi no hi ti gz" t which doc* rtot make sense 

b 1 1 i he number of columns k -t, thei^ix 4' - 24 permutations. The firsl one { \ 2 M) meiuis 
Ihcre would he no pennu union EvevA/ed> lu try ihe tc*I After trying ill 23 possibilities, 
Hvc finds no plaintext thai makes icnsc^^ 

e. If (be number of columfli U 5. there tucy^l = 12)0 permulaliocA The tirs4 one (1 2 3 4 5) 
rucnuH there would be no ncrmumuon, Eve o*^K ro try the mst. Ilw permutation {2 5 13 4) 
yields u pkmncxL fc enemy fttlackstoniKhl/' that make* sense ifter removing the \ letter / 

; 1 1 1 i ! .uklinr ■s|»at:es S^v 

Another attack on the transposition cipher can be c^lejlpditcm aiLack. The ciphertext 
creeled from a keyed urns position cipher has some ^rcaied patterns. The following 
show where each character in the: ctphertcxt in E*ample > 3 > 3£ comes from. 




'like 1 st character in the ciphertext comes from the 3rd d^iacler in the plaintext. 
The 2nd character in the ciphertext comes from the 8th charac^f^p the plaintext. The 
20th chancier in the ctphenext comes from the 1 7th character in the plaintext, and so 
on. There is a pattern in the above list. We have five groups: (3. 8. I Vjl), (1. 6, II. 16). 
(4, 9 y 14, 191 (5. 10. 15. 20). and (2, 7, 12. 17). In all groups, the Terence- between 
the two adjacent numbers, is 5. This regularity can be used by the cryplBiiaJyst to break 
the cipher. If Eve knows or tan guess the number of columns (which is ^7)j) this case), 
she can organize the ciphertext in groups of four characters. Permuting th^r^oups can 
provide the clue to finding the plaintext. 

Douhte Transpasilinn (.ipftcrs 

Double transposition ciphers can make the job of the cryptanalysr difficult. An exam- 
ple of such a cipher would be the one that repeal* twice the algorithm used for encryp- 
tion and decryption in Example 3.26. A different key can be used in each step, but 
normally the same key is used. 



Example _J.2 U 

Let us repeal Example 3.26 using double transposition. Figure 3.15 shows the process- 



ieure X 



SECTION 3.4 STREAM AND BLOCK CIPHERS 87 



guru 3.1? Double iraitsjXiiiritTn ctphtr 



riauwe. 



f ?l 



J 




| R^S rev* b y row | 














_ y>f 



-HP 



MnUlfce-lMl 



K r-.ii I tnw hy row 





VWit.c ij 1 1 1 ii r 1 1 r i Ity column 



|t i y T Jt AO jmw cc ■ A*rd^Tw|- 

— ■ 



Send 



j 



» [t ii Tii(n«ar fltAHgTtT«| 



Although, the cApcWytf cm siilUsejhc ungk ktlcr frequency oltnek an the apherteju, 
patlt^n attack u nnw much niosr ihrhcuJwlM psnera analyse of [he text shown 




Comparing the atnivc set with ihc result t^kraptc w c see thai ttarc n no repetitive 
palEcm. Double transposition removes the regularimfowc have seea before. 

x> 

3.4 STREAM AND BLOCK C^fiERS 

The literature divides the symmetnc ciphers into two ftroad categories: stream ciphers 
and block ciphers. Although the definitions are nomialQ&ppHed t0 modern ciphers, 
ihis categorization also applies to traditional ciphers. Q 

Stream Ciphers ^ 

In a stream cipher, encryption and decry ption are done one symbol (such as a charac- 
ter or a bit) at a time, Wc have a plaintext stream, a tiphertext stream, and a key stream, 
Call the plaintext stream P + the ciphcrtexl siream C; and the Vey stream K, 

P = P 1 P 2 P J . ... 



C^ C^CjjCj. ...... 




J ^ '■ *r,- • ... . j 


'■ 



CHA PTER J IKADuiQm L SYMMETRIC-KEY CIPHERS 

% 

Figure 12^ha*s the idea behind a stream cipher. Characters in lhe plaintext arc fed 
into the cDCrypboft algorithm, one at a dme; the dpbcrtcxl characters are also created one at a 
lime. The key streamj&iri be created in many ways, h may be a stream of predetermined val- 
ues; il may be createdy^ value at a ome using an ul^num The values, may depend on the 
plaintext or cfcphertext SfjWim. The values may also depend cm ihe previous key values. 



— ^ 



1 1 1 ILIFiCCX I 

p I a i a 




Ophcrtrxl 

s O 



Bticry^H) algorithm 



1 i^ure .1.26 shows ihc tnumcnl where t|tc%inJ character in the plaintext stream is 
encrypted using the third value in ihcJrtv stream The result creates the third 
chariicier in Ihe) ciphcrtcxi stream, 

Example 3.30 ^ 

Additive ciphers can be categorized as lucam ciphers in^ruch the key ilrcam is the repeated 
value of the key. In other words, the key strum is considered*!* a predetermined stream of keys 
Of K =■ (k r k, . . T , £). In this cipher, however* each chancier tn*Tnc6ipheitext depends only on the: 
cut i expanding character in the plaintext, because the key itrea^ueeneraEed independently. 

Example 3 r ,? / 

. VV\ 



■ 


p 










Li 


H 





ever, each value of ihe key stream in this case is the mapping of ihe c™k plaintext character to 
the corresponding eiphertex l character in the mappi ng table. 

Example 3,32 

VI genera ciphers arc a)so stream ciphers ^cording to the definition, In this case^the key stream is 
a repetition ufm values, wherr m is the size of the keyword- In other words, ^ 



Jt-- 71 



9. 



Example 3.33 

We can establish a criterion lo divide stream ciphers based on their key streams We can say thai 
a stream cipher is a monoafphabetic cipher if the value of ^ does not depend on the portion of 
ihr. plaintext cliar-jcier in the plaintext stream; otherwise, the cipher is poly alphabetic. 

Q Additive ciphers are definitely mo^oaJ phabetic because un the key stream is fixed: it does 
m.iE depend on the position of ihc character in the plaintext. 

D Monoaipbabetic substitution ciphers are definitely m&noolphtibeiiL because k± does not 
depend on the pos-Lhon of the corresponds n g character in the pTaini«t suxam; it depends 
only on the value of the plaintext character. 



SEC J fO\ 3.4 STREAM A;\'D BLOCK CIPHERS 



89 



Vlgtiierc ciphers sue poJyaSpbabcnc ciphers because k i definitely depends rm ihc position of 



the plaintext character However., the dependcocy is cyclic. The key is the same for two 
characters m positions apart 



VP 

lihfek Ciphers 

In a Nt^fe cipher, a group of plaintext symbols, of &L&e m (m > I ) are encrypted together 
crcauns^Kroup of ciphertext of the same size. Based on the definition, in a block 
cipher. aQ^le key is used to encrypt the whole block even j f the key is made of multi- 
ple values. (f%ure 3. 27 shows the concept of a block cipher, 

V» 



r etire A 2 7 H^>A < ^htf 






















*r "M tt ■V 




■ 


■ 





tiicrypckwi *l#"Milnn 



In a block cipher, a ciphcrrexi h^k depends on the whole plaintext block. 



Example 3^34 



PUi> f:Ltr ciphers are bhxk ciphers The s.LZxr 
together 

Example 3, 3 5 





he 




n 



Mixk is m = 2. Two chai 



are encrypted 



Hill ciphers are block cabers. A block of plaintext of/$t*e 2 or more is encrypted Together usinj; 
a single key (a matm ) In these cipher^ the value of eWpeharajcier in the ciphcrtcjct depends on 
all the values of the characters in the plaintext. AlthougMhe key is made of m x m values, it is 
considered as a single key. # 

O 

From die definition of the block cipher, ii is clear that every blccJc^toer is a poly alphabetic cipher 
because each character in 3 dphcneai buoci: depends on all charactt^in the plaintext block. 

Combination 

In practice, blocks of plaintext are encrypted individually, but they use a stream of keys 
to encrypt the whole message block by block, to other words, the cipher is a block 
cipher when looking at the individual blocks, but it is a stream cipher when looking at 
the whole message c<msideriflg each block as a single unit. Each block uses a different 
key that may be generated before or during the encryption process. Examples of this 
will appear in later chapters. 



CHAPTER 3 TRA DflimA L SYMMETRIC KEY CIPHERS 

% 



3.5 RECOMMENDED READING 

following boil^and websites give more detail* afrom subjects disciis&cd in this 
chapter. The ilents eKcM>sed in brackets refer Co [he reference list at the end of the book. 

Books v^L 

Several books discuss class>c^mmsiric-key ciphers. [Kuh " .| and |5in99| give a thor- 
ough history or these ciphckM^nw], [Bar02|, [TWOG], [Cop991 + (StaUH fSehOrt 
|Mno03|. and [GartH J providcWid accounts of the technical details 

We hS it is V 

The following websites %i\c more mi^p^ition about topic* discimcd in this chapter. 



Jutp^www^ry^|E>grsm.e4^ 




act. btcvcm.edu/cry pw, php 

http://vfwwxrypto.cxHn/ 

h[tp:/A**vw r Tririea& 



0 



□tlp;//www.&ri^g^ 



3.6 KEY TERMS 

additive cipher 
affine cipher 
autokey cipher 
block cipher 
brute-force attack 
Craesar cipher 
choEen-ciphericxt attack 
chosen plaintext attack 
cipher 
cipherlejct 

ciphertexl-onty asuiuk 
cryptanalysis 



o 

decryption algorithm \ 
digram • 
douhle transposition dpheO" 
encryption algorithm CX 
Enigma machine ^ 
esiifliistive- key-search method 
Hill cipher 
Kastski Stf-st 
KjrrckhofF s principle 



key domain 

known- pi aimeit .mack 



% 

^£monoalphabeiir cipher 
monoaiphabetic sub^ritirtion cipher 
ilicativc cipher 



SECTION 3 ? SUMMARY 91 




one^^ye pad 
plain k- 

Flay fair ci^^r 

pi ^y-ilplubc^yipher 

poly a I phabcl ia^bst i tution cipher 

mil (cncc ciphery^* 

tf 1 



rotor cipher 
shared secret key 
.shift cipher 



stream cipher 
substitution cipher 
transposition cipher 
trj£ram 

Vigencre cipher 
tableau 



3.7 SUMMA 

□ 




□ 



Symmetric- key encipl(ciWnt uses a single key for both encryption and decryp- 
tion In addihon, the cne^ption and decryption alfconlhms arc inverse of each 
other. 

l~he original message is c^odvthe pL 

channel is called the ciDhtiteYt. To create the ciphertext from the plaintext, an 

e shared secret key, To create Ihe plaintext 
m is used and the same secret kt^y. We relcr 



iainicxt. the message that is sl-mi rh rough ihe 




J 



□ 



□ 



□ 



encryption algorithm is used *i 

from L-ipbcrtexL a decryption al^_ 

to encryption and decryption aJgon^rflis as ciphers 

Based on Kerckbofrs principle, onQhould always assume that the adversary 
knows the eruption/decryption ali;. The resistance of the cipher to attack 

should be based only on the secrecy o^my^cy, 

CryptanaJysis is the science and art of brcjjd&jig ciphers There are four common 
types of cryptanalysjs attacks: ciphertcxt-onN^own plaintexi, chosen plaintext, 
and ehosen-ciphertexL \J 

Traditional sym metric- key ciphers can be divided into two broad categories: 
substitution ciphers and transposition ciphers. A tubstitution cipher replaces one 
character wish another character, A transposition cip^i reorders the symbols. 

Substitution -ciphers can he divided into two broad (categories: monoaiphabetic 
ciphers and potyaJphaheiic ciphers. In nfflEioaJphabe^o^hstitiJtiofi, the relation- 
ship between a character in the plaintext and the character in the ciphertext is one- 
to-one. In poIyaJphabetic substitution, the relationship between a character in the 
plaintext and die characters in die ciphertext is one-to^many. 

Mnnoatphabetie ciphers include additive, multiplicative, affinc, and monoalphabctic 
substitution ciphers. 

Poty alphabetic ciphers include autokcy. Playfajr, Vigenere, Hill, one-time pad + 
rotor, and Enigma ciphers. 

Transposition ciphers include keyless, keyed, and double transposition ciphers. 



CHAPTER 3 '1 RADl^&NAL SYMMETRIC-KEY CIPHERS 

I J SymnieiP^ciphcre can also be divided in Jo two broad categories: stream ciphers 
and bloektciphers Tn a stream cipher, encryption and decryption are don ■ i 
symbol at a^e. In a block, cipher, symbols in a block arc encrypted together. In 
practice, blod*<^f plaintext arc encrypted individually, but they use a stream of 
keys la cnctypP^whnlc menage block by block. 



3.8 I'RACTIC^KT 




Review Questions y** 

1 , Define a symmetric-key ci 

2, Distinguish between a stibsutul^ cipher arkl ;s transposition cipher 

3 , Di slingui sh between a monoaipMg&k ami a [ * • I > . i L phabclie c iphet 
Distinguish between an tream uphi^^l a block cipher. 



.5, Are ail stream ciphers tnofwdpbaheii^fetplainL 

6, Are tilt block ciphers poly alphabetic? E^jJ&in. 

7, I iliree monoalphabeJic ciphers. ^ 

8. List three polysilphnbetic cipher*. ^ 

9. LisL two transposition ciphcts. # 
List four kinds of cryptanaly sis attacks . \^ 



in 



Kxerciseh 



O 



II A small private club has only 100 members. Answer d^pllowlng questions: 

a. How many secret keys are needed if all members of^dub need to send secret 
messages, to each other? X^) 

b. How many secret keys are needed if everyone trusts the president of the club? If 
a member needs to send a message 10 another nwmberN*^4f5t sends i* *o the 
president; the president then sends the message to the othtk member. 

c. How many secret keys are needed if the president decides thai the two members 
who need to communicate should contact him first. The presid^rt then creates a 
temporary key to be used between the two. The temporary key irtpcrypled and 
sent to both members. \ / pL 

1 2. Some archeologists found a new script written in an unknown languagtrThe arche- 
ologists later found a small tablet at the same place that contains a sentence in the 
same tanguage with the translation in Greek. Usins ihe tablet, they were able to Tead 
the original script: What type of attack did the archeologists use? 

1 3. Alice can use only die additive cipher on her computer to send a message to a friend. 
She dunks that the message is more secure if she encrypts the message two limes, 
each time with a different key, Is she right? Defend you answer. 

14. Alice has a long message to send. She is using the monoaiphabetic substitution 
cipher. She thinks drtf if she cornprescs the message, at may protect the text from 




^ sections^ pra luce set 

^ smgie-lctier Cn^eocy a*** by Ev c . Does the compression help? Should she com- 
^ press the message before ihe encryption or after ihe encryption? Defend your answer. 
^ Alice often needs to encipher planum made of both letters (a to z) and digits (0 to 9) 
^ If she uses an additive cipher, what is the key domain Whai is the modulus? 
v^ff she uses a multiplication dpi**, what is the key domain'' What is ihe modulus? 
cT^hc uses an affine cipher, what is the key donuun? What is the modules? 

— i thai spaces, periods, and question marks are added to the plaintext (o 

rtV donia,n of simple ciphers. 

a WhAMthc key domain if an additive cipher is used? > 

b. Whai VW key domain if a multiplicative cipher is used? 

c. What isV^kcy domain iran affine cipher is used? 

■ 7 Aha- and U, jJW decided io ignore KerckhorT* principle and hide u* type of .J* 
u pher 1 1 »ey :ire g 

*. How can Eve d^de whether a substitution or a transposition cipher was used? 
I' It l-vc knows uy ji, c cipher is a ™bstitution cipher, how can she decide 

whether it was an active, multiplicative, or affine cipher? 
c. If Eve know, that ihWjpher is a reposition, how can she find the siw of the 

section («i)7 S*\ 

IK In each of the following ciph« s . what ii the m«.niu„, number of characters that 

nfSin ' r d ^ C ' P • *' ' f <>nI> 3 Sing ' C chaf * clCr ls chajl S ed ^ the 

a. AddiLve: 

b. Multiplicative \^ 
d Vtge»erc 

f. One-time pad 

g. KoEor O 

h. Hnigmsi 

1 9. In each of the following ciphers, what is the maxima™ number of characters that wiJJ 
be changed m the cipbemrtt if only one character is c(5aagcd in plaintext? 

a. Single transposition q 

b. Double transposi tion 

c. Playfair < 

20. For each of the following ciphers, say whether it is a stream cipher or block cipher 
Dei end yt jur ans wer? . 



a. naylair 

b. AutL>key 

c. Onc-titnc pad 
U RoEor 

Enigma 



CHA PTER J mWfn&WA L SYMMLTRIt. K£Y CIPHERS 

% 

2 I . Encrypt The message "this is an exercise 1 " using or>c of the following cipher?. Ignore 
the space fxrtwecn words. Decrypt the message to ges ihe original plaintext. 

a. Additivirnpter with key - 20 

b. MuUiplicatirc cipher with key = 15 

c. Affine ciphcnwjij* key- (IS, 20) 

y 22. Encrypt the mc5S^gcL"lhe house is being wild tonight" using ouc of die following 
ciphers Ignore the sVrmic between words. Decrypt the message to get the plaintext : 

ii. Vigencrc cipher wi v: "dollars" 

h Auiokey cipher wilh*]^ = 7 

V* c. Play I ni r cipher with tricky created in ihe text (set Figure 3. 13) 

23. Use the Vigenete cipher wnK^Jcyword "HEALTH" to encipher the message "Life is 

Cult of surprises" ^\ 
24* Use ihe Play fail cipher to encipbeKihe message "The key is hidden under the door 
pad". The secret key can be ma^k^y tilling the hrsi and pan of the second row 
with the word "GUIDANCE" and Xiljjflg the rest of the rnairia with the rest of the 
ulphaUt C 

25. Use i II til cipher to encipher the 
following key: 



s/ 



me^s^g^ "We live in an utseenre world". Use the 



K = 



03 
05 



x5 



2ft. John is reading a mystery book involving cryplpp^iphy. In one part of the book t 
the author gives a ciphenext 'XTIVV" and two pajasaptis later the author tells the 
reader that this is a shift cipher and the plaintext iV^ws". In the neM chapter, the 
hero found j tablet in a cave with "XVIEWYWT cngpiW on it, John immediately 
found the actual meaning of the ciphertext. What typ^J^f attack did John launch 
here? What is ihe plaintext? 

27- Eve secretly gets access to Alice's computer and using her ci^r types "abedefghij" 
The screen shows "CABDEHFGLT If Eve knows thai Alice losing a keyed urans- 
positiu-n cipher, answer Lhe following questions: ^ 

tL What type of attack is Eve launching? * 
b. W hat is the size of the permutation key 7 ^ 

28. Use a brute-force attack to decipher the following message cnciphereo^pAAlice using 
an additive cipher. Suppose that Alice always uses a key that is close tc/per birthday, 
which is on the 13th of the month: 



NaAr^CTASJLYODEPW^ 

29. Use a brute-force attack to decipher the following message. Assume mat you know it 
is an afTinc cipher and thai the plaintext n ab" is enciphered to "GL ,+ . 



SECTION 38 PRACfiCE SET w 

^ 30. Use a □nc-kticr frequency attack to decipher the ft) lining message Assume that 
you know it is enciphered using monoalphabeik substitution cipher, 

vejIHO^'EmWOBEVGWOCBWtlNUGBLHGBCR 

31. ^me Uml punctual marks (period*, question marks, and spaces) are i,ddcd lo 
llK^ryption alphabet of a Hill cipher, then a 2 X 2 key main* in 7™ can be used 
J or >Y«vpiLcm and iSct i > iKion. 

a, Fin\£]&c total number of possible matrices, 

b. 1 1 ki'y^w proved that the toul number of invmible matrices is (N 1 - I ){N 2 - N) p 
wht^X^the number of alphabet si/c, hnd [hr key domain of a Hilt cipher 
usm^ IhiyilplL'itvr 

32. Use a ^ng(c ItS^rfre^iicncy attack to break ihc following dphcnexi Y»u know thai 
it tms been irrat^oViih an additive ciji)»er 

< tfWKWNG WCB PQ A«^VQ APMUGXWl'ItJ VOBQUM APMIDGZC A B 
BQV UM/Mi XM I JVXZOTOQ V I -M MXAV WEI VLU2S N'/.WAH 
JQZLWNLMTQOIU VWMUA&'t I S I 'A KQNBTCTWNBU J*M VM A li 
ITl AKWCTLVB BQUMQBIifrajtQ H KLAtj V t JG B/C 'AB 

M. U«r ^ Kasiski tot .inri single- m^cr^y atiaclc to break the following L.i|then«t, You 
know ihat n has been minted wWayigaiefc cipher 

MPYIOOBSI^IDB^'RDlKATXAlUlttjXimhrrijlGTl IDELT 
TKAlI^iSVOBSMUJOTQEF^Aaifedt^ 
DDRXW1 VPF f N SdCLOUMSN B CC VUUj&OJNWS VX AUH I K 

LXmfOIC[^TPB^IMHXLJXHOLWPE^^^)A[X)C^^Q^J^T 

o 

34, The enerypuon key in a transposition cipher^ Z 6, I, 5, 4), Find the deeryn- 
tion key. 

35. Show the matrix representation of the transposed pher encryption key wiih 
Lhe key {3, 2, 6, I, 5, 4). Find the matrix represent™ of the decryption key. 

6. The plaintext 'lettisrneetnow" and the corresponding ophtjrtext *HBCDFNGPrKLIT 
m You know that the algorithm is a Hill cipher. bu?you don't know Die size of 
the key. Find the key matrix. 

37. I Ml ciphers and multiplicative ciphers are very similar, Hill ciphers are block ciphers 
using nwUiplication of matrices; multiplicative cipher* stream cipher usiru: mul- 
tiplication of scalar*. 

a. Define a block cipher thai Ls similar to an additive cipher using the addition of 
matrices, 

b, Define a block cipher that is similar to an affine cipher using the multiplication 
;ukl add it Kin of matrices. 



CHAPTER J TRADfTl^^L SYMMETRIC^ KEY CIPHERS 



Let us defiffe*a new stream cipher. The cipher is afhne, but the keys depend on the 
position of tile character in the plaintext If the plaintext character lo be encrypted is 
in posit!-; 'Ti r, v^iisn iir>d the keys as follow: 

a The multiplic^-c key is the (i mod 12)th clement in Z^*. 

h. The additive lu^fc [he (i mod 26)th element in 

Encrypt the messagtf^yptoi^Mphy js fun" using this new cipher 

39. Suppose that for a Hill ®bcr the plaintext is a multiplicative identity matrix (J), Find 



the relationship between^: key ami ciphcrtcxL Use the result of your finding to 
launch a chosen-plaintext aprfck on the HjII cipher 

40. ALbash was u popular ciphc^jiptoBg Biblical writers In Albash, "A" i* encrypted 
as "B M is encryptttS as "V^nd so on. Similarly, ,B ZT is encrypted as M A'\ M Y" 
is encrypted as n W\ and soon $tiW»ose that the alphabet is divided into two halves 
and tiie Idlers in the first half ai\?)£ncrypted as the letters in the second and vice 
versa. Find the type of cipher and ^ Encipher the menage "an exercise" using 
(he Athash cipher, 

41. J ii a Pntyhius cipher, each Icttct is ejicpKprcd as two integers. The key is a 5 x 5 
mill nx of characters as in a Playfair c™*!r. the plaintext as the character in the 
matrix, the crphertexl is the two integer between 1 and 5) representing row 
and column numbers, Encipher the message "An exercise" usin£ the PoSybius 
eiplier with die following key; 

-7& 



sit 



u 



p 



n 



O 



o 



o 







oj u rypiograpn^ 

Part®: Algebraic Structures 
Objectives?^ 

This chapter pr^fares the reader lor the next lew chapters, which will 
discuss modem ^*fimc trie -key ciphers based on algebraic si rue lures. 
This cbapicr has se^al objectives: 

□ To review the eoKgppl of algebraic structures 

□ To define and give fjphic examples of groups 

□ To define and give siXS)e examples of rings 

□ To define and give m ■■ ift^aamples of fields 

□ To emphasize the finitcwlds of type GF{2 fl ) that make ii possible 
m perform operatiens ^ addition, subtraction, multiplication, 
and division on n-bil wo rdssfL modern block ciphers 

The ne\t tcu chapters will dj^esh^^ixi^rn. syninu'iri^ kr\ hK>k cipheis 
Lhai perform mmhc operations mi /3 Vi^vords. Understanding and analy/- 
ing these ciphers requires some knowm&ge of a branch of modem algebra 
called algebraic structures. This chapteriW reviews the topic of algebraic 
structures^ and then it shows how to perform operations such as addition or 
multiplication on n-hit words. * ^ 



•n 



CHAPTER 4 MATHEI^flCS OF CRYFTQCiRAPHY 

i 



4. 1 ALGEBRAIC STRUCTURES 




Chapter 2 diwussocNogifc sels of numbers, such as Z, Z n , Z n * m 7^ and 7s p *. Cryptography 
reou i res sets of integecs'Wt specific operations thai are defined for those sets. The com- 
hiiutlion of ihc set and iG^ojjeraiions thai me applied to the elements of the set is called 
an alRt hraic slrurture. tOm chripter, we will define ihree common algebraic struc- 
tures: gmupy, rings, and/rr^f Fipurc 4.1). 

— ^— 



r 



Jdjc ftfUCLlita 





Groups <^ 

A ^roup (fi 1 is a set of dements with a binary o prat ion **»" thai satisfies four prop- 
err ics (or axioms). A i ^mmntutivr group* also caned an ahcliun grtiup fe i\ ;j ^rouji 
hi which the operator satisfies the four properties ftif &r«up4 pltis an cxira properly, 
eorumutaiivily flic loui properties for groups plus comlfyu^ativiLy arc defined a> follows 

J (. hisu re: If a and * are elements of G. then c = # • also an element of G. This 
means that the result of applying the operation on ai^wo elements in the set is 
smother clement in the set. f\ 

Associativity; If a, fc, and r arc element of G % then (o^Tw • c = tf • 16 • c). in 
other words, U docs not mailer in which order we apply frejS^aiion on more than 
two elements. 

Commulativity: For all a and b in G F we have a * A = h ■ a. No^jjbai this property 
needs to be satisfied only for u commu Lative gruup. \ 

Existence of identity: For all a in G. there exists an element f „ called the identity 
element, such that e * a — a ■ e = a. ^\ 

Existence of inverse: For each a in G, there exists an element a J , caHe<^tT)e inverse 



J 



□ 



J 



of u, such thai a ■ « = c * a = er + 
Figure 4.2 shows the concept of a group. 



Application 

Although a ^roup involves a single operation, the properties imposed on the operation 
allow the ttse of a pair of operations as long as they arc inverses of each other. For 
example, if the defined operation is addition, the group supports both addition and 
subtraction, because subtraction is arklihon using the additive inverse This is a] so true 
for multiplier lion and division. However, a group can support only addition/ subtraction 
or multiphealioit/division operations, but not the both at the same time. 



SECTION 4. } ALGEBRAIC STRUCTURES 99 



Pirjpeitk* 



3 . CcunrTTTitalivify (Sw do*-} 



to Af saiLffitd only far <j 



I I. 1% C, ...J 

vr Sri 




Example 4.1 \$ 

TV «, „f ^ inlefim gLfc g = ^ +> h ( Cflmmutatjvc 

itui petfonr, tddruon and auction on the element of ,h,s *i without moving out of the set 
Let aK l uetic die property s\ S 

1. Closure is satisfied The rc*^ ,Mng two *^ m X, is M „ mt<ffiT i(1 Z- 

2. Associativity ik satisfied The rewrTj of 4 ♦ (3 + 2) „ , amc ^ (4 , 3) + ^ 
I. < 'otjimuuti vity « satisfied. We bawr-J ••■.'5 = 5+3, 

4. The identify clement It 0, We hW'K 0 = 0+3-3, 

*' B " a * ^ m ^ » '"verV^e *ve«e ol an elc.i*nt ,s its eom,,]e.nrnl. I or 

esample, .he inverse of 3 t* -3 (« - 3 ir^ ' v d the invert of~3 is 3. The inverse allow* »» 



to perform subtraction on ihe «t 



O 



Example 4 J 

Hi 5 * 1 y "* ""J 1 ^ 6 *"* 1 <5 P enttI * G = u also an abelian group. We can per- 

form multiplication and division on .he elements of ftUrt without moving out of the set. hi, 
easy to check the first three properties, The identity c\^fU I . Each element has an inverse that 
can he tound according to the emended Euclidean algond%) 

Example 4.3 ^ 

Althngph we noiiMlry dimfc about a group as the set of numbers «Tih the regular operations such 
as adtbunr, or subtract™. Ok definition of the grocp allows us to W L e m spr of llbjKti( Md V 
opnHion that wtrsfies the above-menooMd properties. Let us defiikAet iG = < la. b e d] •> 
and the operation shown in Tabte 4. 1 , vO. ' 



Table 4. 1 Operation table for Example 4, 3 



CHA ITER 4 MA THWXTiCZ OF CRYPTOGRAPH ¥ 

Till* is mi ng?W group. All five properties ire satisfied: 

1. Closure is satisfied. Applying the operation on any pair of clement; result in wi^i 4.1c- 

mrnta in this 

2. A^odarivity is sWyiiisfkd. To prove this wc need to check the property for any combina- 
tion of lbr« deir^R* «^ td + » * C-a + <* = A 

3. The nociution k\ Lommutfiivr. We Kived + 6 = i + a 

4. The group has nn lilciiWelcmcnl, which is a. 

5. Each element has an jnvQ^/Tbc itnwe pair* cm be found by finding she identity in each 
rnw (sh.-Hlcti) '1 Tic P* tr * lir $M>' A t c > 1 

hi a group, ihc element* in the tei do^have 10 be numbcii « objects they can be rutea* map- 
pi n K s, function*,, or even action*. A vc*J wtctcMi"* grc*P » prrmuUllon group, The set is 
the he i of all pernnJUtioni, and the o^rupn s* composition: applying CM pwrouiatHJii .itiej 
another Figure 43 shews competition oi <w>> pcnnutASioni thai trarupoac three inpuu to create 
three outputs * 

V 



Figure 4 3 Ct > mpui i f /on of permutations (Ejep^f 4.4) 



h 4 

P I I 

if W V 

I 2 s 



13 1 2] 




| 






1 




■ 

1 






if 
■ 


■ 
i 








t 










[1321 






J 



1 2 3 

I ¥ - 
fit 





; 1 1 c: 

■ » ■ 

1 1 4 

* .* i 
T T T 


132 111 






1 2 J 

+ » ■ 
¥ » ■ 
■ 1 1 
1 1 * 
1 ■ ■ 
* 4 * 

d I ■ 

T t Y 



4 

13 i 11-= 



13 I 2] « LI '3 



3 



o 



The inputs and outputs can be dusters (Chapter 2) oe can be bit* (Chapter S). We have 
shown. each ijermutabou by a table in which the content shows *"herc The inpirfTynww from and 
the index (not shown) defines the output Opposition involve applying two Wtautitions, one 
afr^r the other. Note that me expression in Figure 43 is read from right to left; pcttnutt- 
tion is f I 3 2J followed by 13 i 2]; the result is P 2 1 3 ™i three inputs and v {B*e outputs, 
there can be 3! or 6 different permutations. Table 4.2 shows how the operation is defined. The 
first row is the first pcrmuUlion; the first cotumn is the second permutation. The result is the 

cross -section clemeni. 

lu this case* only four properties am satisfied: the ^roup is non-abeUan. 

t, Closure is satisfied. 

2, Assoc sativiiy is also satisfied. To prove this we need to check the property fra 1 any combina- 
tion of three elements. 

3. The commutative property is not satisfied This can be easily checked, but wc leave it as an 
exercise 



SECTION 4. / ALGEBRAIC STRUCTURES 1-3 



la hie 4.2 

r- 



Operation Ui&le for pcrmutotion grrmp 



T"" : — 

tf - f ..jj. ,i 


i .- .1 


[2 1 3] 


f2 3 l| 


[3 1 2| 


f3 2 11 


[1 3 2] 


1123] 




|2 3 1! 


[2 1 3] 


P 2 l| 


P 1 21 


[2 1 3] 


[312] 




iJ . 2 3}. 


(3 2l| 




[t 1 2] 


12 3 l| 


[2 I 1] 


(3 2 ]) 




[1 3 21 


P 1 2| 


{ 41 2 31 

m"\ i 1 i 1 i l_ 


12 1 3] 


) [3 1 21 | 


12 1 *) 




fl 2 1J 




[2 3 l| 


M 3 2| 


^3 2 |] | 


[2 3 1} 




[3 1 21 


|l 3 2) 


12 t 31 


[1 2 31 ■ 



^2 3] 
HQ 2] 

12 <>>! 

13 I 2<J 
P 2 I) 



j tN ; «: I rjj 



closure property. 



4. 7T?c Msl Iuia arSi^ritity clement, winch b f I 2 3J (no permutation ^ These arc nhadciJ 

5. Hatch demerit ha^n inverse. The inverse pain can he found usine tlic ultmlily elements 

Exampk 4.5 

In the ptrviijitt eximple, w^tpuaS thai i «t of perniuLimnvt with the compt*i don is 

i group. Tins jinplici that hm^wo permutaltofiL* one aftci another cannm strengthen the acai 
nty til b cipher, became we can al^iyis find a permutation that am do the same jtrfi hecnuw of the 

Unite (wrnup (S^ 

A group is calk- J it finiie group if 1*ic sjr has a tinilc number of element*: otherwise, it 
is an infinite group. 

v 

Order af a Uraup N q 

The order of u group, FGi. i* the number 
finite. iLs order is infinite; if the group is 



lements in the group If The ^ruup is not 
order is finite. 




Subgroups 

A subset E of a group G is a subgroup of G if iC-j^if is a group with respect to the 
operation on G, In other words, if G ~ <S. • > is a £n>up, H = <X ■> is a group under 
the same operation, and T is a nonempty subset of 5#theri H is a subgroup of G. The 
above definition implies that: 

I If a and b are members of both groups, then c=a ^B)is also a member of both 

groups. 

2. Hie group share the same identity elemcnL * 

3. If a h a member of both groups, the inverse of a is also a member of both 
groups. 

4. The group made of the identity element of G, H = <( e h *>, is a subgroup of G. 

5. Each group is a subgroup of itself. 

Example 4.6 

15 the group H = <K|o, +> a subgroup of the group G = <Z (> +>7 



a IA PTLR 4 MATr&MA HCS OF CRFPTQGRA PHY 

% 

Solution 

I lie answer is act Although H ti a subset of G t ihe operations defined for these two groups arc 
different Thf npe?afhm in I! l> addiuon modulo 10; ibe operation in G is addition modulo 12. 

be generated using the power of an element the subgroup 
up. The term power here means repeatedly applying iKe 



Cyclte Subgroups 

Tf a subgroup of a gnV 
is called the cyclic siu 
^ruup operation to the c 




rl 



^* tj • a ■ . . . * a (fl 

The set made from ibis proxxg^fcfcircd to as <a>- Note that lhc duplicate dements 
must be tiiscarded. Note also thjfi^= e, 

l J our cydic jiuhgnjupi can he made from &e group G » <Z^ +>. They ire H j = <(0). +>. H 2 = 
<(0, 2, 4). +>. H 3 ■ <{G\ 3], +>, and H>^G, N<*e lhat when the operation i* addition, a n 
means multiplying n by Note alio that in all #rXhe*c group*, the □peraiii m \\ addition modulo fi 
Hie following show how we find the clement* \ipiie*e cyclic nlbgruup«, 



Ar The cyelm subgroup ^coeiaird from 0 i» H ] , wtf^has only one element, the identity clement. 





; the profjus wiU oa t*|*e Jtefi} 



K The cyclic subgroup gew&led from L i* which itself, 
t^robdo^u- J| 

i i m*>i&-i ;. ; 



4(1 + 



r» — 




















l 4 triads 

S s mod* (1 +1+1 +.1+ I)"raod6^ 




ill Detfepesteo; 



c. The cyclic subgroup gencraied f rum 2 is H 2 « whkh has three elemO^S. 2, ^ 4 



2? uJod-6.- 
■ i 2 'tfiod 6 * (2 + 2) mod 6 = 4 



cyclic subgroup 




d. 

6 = 3 



from 3 is H^. wfakh has two elements: 0 and VO 





e. The cyclic subgroup generated from 4^ is H^; this is not 3 new subgroup. 



4°tiod*6>t> 

4 2 *tiod6-i4^4)n»4o^2 



\ 

The cyclic subgroup 



SECTION 4.} ALGEBRAIC STRUCTURES 
- s is wSuch i s g itself. 



103 



J* 0 mud = y 

Example <$.H 

^asnsgg: °x>" „ • c - ™" ****** 




k The cyclic tu 




3 1 -unci J0n3 
3^ Hfcid io - 7 



gcwB^^rti 3 ii H J+ whkb ii G itself. 




c. The cyclic subgroup pm&m 

*'jTii»d 10- ? •. • 



* m subgrottp ge[wratod ^ £ m 





(Stoprilkr ttTDsqcss Villi 




m ^ demenl that ge * erai s th ^ C ls 3 W * this 

This demo., is refem^ ^ £££ 5™' ^ ^ ^ itadf - 

cyclic group can be wnttcn « * * clcmen<s in a 

t**ff. J?"" 1 !, where ^<r 

Note dial a cyclic group can have many 



CHAPTER 4 MA TH&tA TICS OF CRYPTOGRAPHY 

% 

Example 4. \> 

n. The group G^^k, +> ** a P™® mlh two g L,rm " Jiora - * s 1 «" d S s 5 
h. The group G =^t^". x> is a cyclic group with two genetaiors, s — 3 and £ = 7 

Lagrange's Thearern^y 

I jicranftc's theorem rcia^lhe order of a group 10 the orfcr or its subgroup. Assume 
G is a croup, and H is a sntQrfiup of G- If the order of G and H are Kl and IHL restively, 
then, based on this theorem, ^divides )Gl. In Sample 4,7, kSl = 6. The order of the soh- 
group* arrlM ( l=l. IH 2 I = 3. I&M 2. and IHJ * Obviously aU of these orders d»vide 6 

Lagrange^ theorem has tf'vwy interesting application (liven u proup G of Old* t 
IG! disorders of the potential si%roups can he cisily determined if the drawn* of IGI 
can' be found. Fur example, the orJpof the group G = <Z (7 . +> is 17. The onty dm* n s 
o\ 17 arc 1 and 17. This means thatjrns group can Iwvc only two subgroups, 11 1 with 
the iileniiiy clement and = G. ^\ 

Order of tn Element \ «^ 

The order of an element a in a group, otiW is the mhhIIcaI integer n such th;.t e. 
The definition can be paraphrased ihe ordty^f an element is the order of the cyclic 
gTbUp it generates. \ 

Example 4. to 

p Ituhc group G = +>. to order* of the denicStuA: otdtfl) - 1 . J ) = k ordtf) = ^ 

b. In Hit group G =<Z l0 ',>o. ihc of tfic etanffltt><«*l) = L o«W3) - 4, onit.7) = 4 P 

orJ(9)-2. O 

Ring U^. 
A rinfo denoted as B = <(...],-, is an algebraic siructure%j)ih two opera) ions The 
lira operation must satisfy all five properties required for an abjrtT^i group. The second 
operation must satisfy only [be first two. In addition, the second oration must be dis- 
tributed over the first DisHribntrntv means that for all a, i>. andV elements of R, we | 
have a □ {b - c) - (a □ b) * (a □ e) and (a « b) O c = (a d e) • (e □ 0 rf oommiitatjve nn S 
is a ring in which the commuLUive property is also satisfied for the 4%*md the opera- 
don FimTO4.4showsflringandacommut3livcriiig. O. 

Application 

A ring involves two operations- However, the second operation can fail to satisfy the 
third and fourth properties. In other words, the first operation is actually a pair of oper- 
aliou such as addition and subtraction; the- second operation is a single operation, such 
as mull) plication, but not division. 

Example 4.11 

The set Z w,th two operations, addition and multiplication, is a commutative ring. Wc show it 
by R = <Z. +. x> Addition satisfies all of the five properties multiplication only Inree 



w 

figure 4.4 Ring 



SECTION 4. 1 ALGEBRAIC STRUCWRES I "5 



Distribution 



3 



7# J-Qopwif 



□ 



77ttf Mini pmprrfy y 

<wi/y stiiixfteii far a 
r.ommutaliue ring. 



yf*^ n. S J 




Ring, 



■a 

prapcnics. Muliiplicatioc^llio distributes \>vcr addition. I-'or example, Jx(3 » 2) - x 3) + 
(5 K 2} = 25. Alshuujitfi, weyAf perform Addition and Jaibtncii-M mi triih set, we can perform 
nnly mu In plication, btii not diM^on. Division is not allowed in [hi* structure because ii yields 
.in clement out of die ml The haplr uf dividing, 12 by 5 is 14, which is nor in Liu; mil 

A field, dcmmid by F - <[ ... \ r *. □> h li ^oiTimiitaiiYc ring in which me second opera- 
tioD satisfies idl five properties defiiydor the fir*t operation wcept that the idcnlily 
ol the first iteration (sometimes eallfctr thp zero element) has no inverse. Figure 4.5 
.slums ihn tie Id *\ 

O 



3* 



l>i itri tHtoon Qf □ aw # 



v6 



1. Ornain* 

2. Assocniivby 

3 . CootmuEinvhv 

4, cock of kteoti cy 

5- EniWeaae crfinvrtw 



L QrOCOJC 

3. CtKQlEULUii VjLy 

4. EaitttM of idcdlrilA' 
1 5. EiLCMce of in'ii^j; 



SM 



•1 



0 

Opera liflfti 




G 



TTiff idf nifty elcrntnf 
2ft* Jlrj£ operation 
has ru> inverse wuh 
respect to she. second 



FltW 



Application 

A field is a structure, chit supports two pairs of operations that we have used m mathe- 
matics: addrtion/subtraction and multiplication/division. There is one exception: division 
by zero is not allowed, 



CHAFI 'hiR 4 MA -J&EMA TICS OF Cfi I FTtX}RA PHY 
Finite Fields?^ 

Alihough we have fields of infinite order, only finite fields extensively used in cryptog- 
raphy. A finite ^^d, a field wUh a finite number of ekrneni-S. arc very important strut* 
lures in crypt ogfmhy. Galois showed that for a field to be finite, the number of 
Clements should where p is a prime and n is a positive integer. The finite fields 
are usually called fields and denoted as GF{pP). 

A If aloC^^ d, G¥{p") T is ■ flaiie fleM with /?" iltmt nts. 



When n = 1, .we have GK<>) flFeUl This field can be the set Zp. |Q, 1 jp - I with 

two arithmetic operations (uddi^nn and multiplication). Recall that in this scl each 
i: lenient has an additive inverse ari^kat nan/em elements have a multiplicative inverse 
(no mti I [ l p 1 1 cat i ve i i l verse for 0.) . ^\ 

hxarnpte 4.12 x 

A very common held in ihu ualeKOry is CF(2LwkiLEi die act (0. If and two opcrntlLUU, adduiuii 
ulid UiulliplacaLion. tis shown in Pspure 4.6 *^\>f* 

o 



-1.6 GF(2) field 






0 1 








i a 


AtfcLllOfi 



X 


0' i 


9 

i 


0 0 
0 l 





£1 


ft 1 




a-™ 


i - 1 



tnv 



There Atv several things to notice about tins field. Firsi. die >ct ha^unly [wo elements, which 
arc binary digits or bits (0 and 1}. Second, die addition operation si^njjily the exclusive'Or 
(XOR) operation we use on two binary digits. Third, the midnr^caQa^^peration is the AND 
operation we use on two binary digtis, Rnmh, addition and subtraction ^xrruuorLS are the sajne 
{XOR operation). Fifth, muhiptication ind division operations sre the same uperaiion). 

AdditioDj'&iibtraetioa in GF(2) is the same as the XOK operatio«L 
raultiptitatfaii/dkistoii i* the same as the AND opera lion. <0 



Example 4J3 

Wc can define 13F(5) i.in the *ci Zj (5 ii a prime) with addition and muiti plication operators ai 
^htixvn in Figure 4,7, 

AlLhough we can um the extended Euclidean algorithm tp rind the multiplicative invent of 
elements in C.iF(3), ii it Mtnpler tO loox at the En u\lt plication lable and find each pair with 
the product equal in I . They art ( LI), (2, 3). (3 + 2). and (4, 4). Note that we can apply addition/ 
subtraction and mulnplicauon/di vision on [be set cacept that division by \} is not allowed. 







SECTION 4.2 GF(2"} FIELDS L07 



I 


jO J 2 3 4 


0 


0 12 3 4 


1 


t 2 .i 4 0 


1 


2 3 4 0 1 


3 


34012 


4: 


4 0 12 3 



■ 


Q 12 3 4 


0 


0 0 o o 0 


1 


0)234 


2 


:0 Z 4 1 i 




0 3 14 2 


4 


0 4 3 2 1, 


MulliphcdEion 



Addibvc inverse 



u t 0 1 2 \ 4 




A 


IGJ 2 3 4 




-1 


? 2 4 



(5) 



MulijpJkjtttwQ inverse 



Jn addition to G\$j>) fields. 



we are also iritercsicd in GF"V) fields in cryptography. 



However, the set Zy&, Z„- and Z^, which #c have used so far with operation Wh .i^ 
addition and tmiliipi^lion. cannot satisfy tiic requirement of a field Some new sets 
and some new opera no^on those sets must be defined. The in- si wet ion. we shows 
how <;K(2») i$ a very usifuk.ficlu in cry ptography. 

Summary O 

llic study of three algebraic suijures allows us to use sets in which operations similui 
to addmoitf subtraction and muidphcati on/division can be used with (he srt We need to 
distinguish between Die ihree ,',$&u^ me Sum sinieiut*. the group, supports cine 
related pair of operations. The secojd structure, the ring, supports one related pair of 

[hi id structure, the field, supports two pairs of 



ope nit ions and one single operation 





Supported 
Typical Operations^ 


Supported 
\ Typical $cu {if Integer* 


Group 


(+ -) Of (x Y 




Ring 


{+- -) and fx) 




Field 


(-r- -) and (x +} 





4.2 GF(2") FIELDS 



o 



Jn cryptography, we often need to use four operations (addiKp^ subtraction, multipli- 
cation, and division). In other words, we need to use fields. However, when we work 
with computers, the positive iniegers are stored in the computer as n -bit words in which 
ft is usually 8. 16, 32. 64. and sa on. This means that the range of integers is 0 to 2" - I . 
The modulus is 2". So we have two choices if we want to use a field: 
1. We can use GF(/j) with the set Z^ where p is the largest prime number less than 
2 .Although (his scheme works, it is inefficient because we cannot use the integers 
from p to 2" - 1. For example, jf n=4, the largest prime less than 2 J is I j. This 
means thai we cannot use integers 13. 14. and 15. If n = K, the largest prime less 
than 2 is 25 1 , so wc cannot use 251 . 252. 253. 254. and 255. 



CHAPTER 4 MAT 




TICS OF CRYPTOGRA PHY 




2. Wc canl&irk in GF{2 r ) and uses a set of 2" elements. The clement* in this set are 
n-bit wor*. F ur example, if n - 3. the set is 

^) W^^^' gi L; 1 00 1 101/1 10 MU 

However, wc cila^^ interpret each element as an integer between 0 to 7 because 
the regular four nations cannot be applied (the modulus 2" not a prime). We 
need lo define a set (J^i-bit words and two new operations thai satisfies the proper- 
lies defined for a fietd^ 

Example 4*14 V ^ 

] ei ii^ define i GFt2 2 > field in wn^tjjc iei has four 2-bit word*: (00, 01. 10. 1 1 ] Wc can rede 
fine jiddiUob wnl mHUiphimSHjn InrXfp field in uach a My that all properties of <hc*c upci-LUoiw 
lire satisfied, u.s shown in S-'igurc 4.8. r C\ 





l'*i fiu re 4,8 An example of a GF[2* J ,fl*^> 





iW 01 


10 1! 




00 




10 


it 


01 


01 




M 




10 


10 


Lt 


00 


01 


11 


n 


10 


JL 


00 



v StulupEsLilion 

^5 



Iff 00 



01 



10 

II 



Identity 00 



10 



Identify 



10 



11 



II 



01 



10 



Ench word is the additive inverse of tttelf- Even *^Mcxccpt ha* a mulnphcauve 
inverse, The nuiltiphcauvc inverse pair* are (01, 01) and (10 p l^AMtioii and multiplication are 
defined in terms of polynomial*. 

Polynomials Q 

Although we can directly define the rules for addition and miiltip^ation operations on 
n-bit words that satisfy the properties in GF{2\ it is easier to work with a represeotaticHi 
of n -bit wonts, a polynomial of degree n - 1. A polynomial ofdegrA n - \ is an expres- 
sion of the form v> 



H. _ r 






where ^ is called the i\h term and <ty is called coefficient of the Mi term. Although we 
are farm liar with polynomials in algebra, to represent an n-bit word by □ polynomial we 
need to follow some rules: 

a. The power of r defines the position of the bit in the n-bit wont This means the left- 
most bit is at position zero {rclalcd to i°V. the rightmost bit is at position n - I 
(related 10^"'}. 

b. The coefficients of the terms define the value of the bits. Because a bit can have 
only a value of 0 or L our polynomial coefficients can be either 0 or t 



A SECTION 4 2 GF<?\ FIELDS 1W 

i girrr 6/4 -how bow w e c, represeni tbc &-bit word ( 1001 1001 ) us.ng . polynomials. 
g^ffi * cpiKsemation of an 8-bii wnr by a polynomial 













+ + 4 J 









S^ifid i impJ i fie atam i T 4- i* + ^ 7~\ 1 

SS}l ' — 1 



Example 4. } 6 

•In find ihe S wort rcl^d to [hc pjWuuJ ^ + ? + wc fcl supp1y Ae 0mjuod terma 
Shrlc n - K a means ,hc polynomial « a^w 7. The eapmfal polynnroml is 



This is related to the K bit word 00 1001 TP \ 

^ X 

Operations Q 

Note thai any operation on polynomials ^tu^voives two operations: operations on 
coefficients and operations on two Hynonuals.^nher words, we need to define two 
fields: one for the coefficients and one for the potxp-rWals. Ccemcicnts are made of 0 or 
I ; we can use the GF(2) field for this purpose. We disuses this field before (see Eaam- 
ple 4. 14 j. For the polynomials we need the field GF(2V>tfiich we will discuss shortly. 

Pniynomiais representing "bit words use two fields: GF<2) am! GFC") 

— — 

Modulus 

Before defining the operations on polynomials, we need to t*fc> about the modulus 
polynomials. Addition of two polynomials never creates a polynomial out of the set 
However, roultjphcation of two polynomials may create a polynomial with degrees 
more titan n- I. This means we need to divide the result by a modulus and keep only 
the remainder, as we did in modular arithmetic. For the sets of polynomials in GF(2 n ) 
a group of polynomials of dcgrce n is defined as the modulus. The modulus in this case 
acts as & prune polynomial, which means that no polynomials in ihe set can divide this 
polynomial. A prune polynomial cannot be factored into a polynomial w.th degree of 
less than n. Such polynomials are referred to as irreducible polynomials [able 4 4 
shows irreducible polynomials of degrees 1 tn 5. 



CMA PTER 4 MA Ti^A TICS OF CRYPTOGRAPHY 

% 

For eachljE-Arcc, there is oftrn more than one irreducible polynomial, which means 
when we dciini^our GF(2 tt ) we need to declare which irreducible polynomial wc arc 
using as the Tflcjdu4j£. 







1 


(x+l) + (x) 


2 


t^ + s + n vv^" 




+ x* + 1) F (j^Qj 1) 


4 




5 


t^ + X 3 + I), ^4 X*VV^ I + 1), (* 5 + X 4 + IX 

t> 3 +j 4 +Jt* + x 2 +lUxp* 4 + r 1 + x + 1) 



Addition 



Nnw Id us define th_ addition operati<5^r*lor polynomials with coefficient in GP(2). 
Addition is very easy: we add ihe coeffi^nts of the corresponding terms m GF(2). 
Note ihLiE adding two polynomials of iievidc fi - L always create a polynomial 
wiih degree n - I a which menu thai wc do~mtt need to reduce ihe result using the 
modulus. ^ _ 

Example 4. 17 

I jtl us do (x 1 + jr + x) ® t i ' i r + L ) in GF[2?), We uwtfc symbol © to show That wc rneam 
polynomial addition The following %hows the procedure: 



Ox 7 +Jk* + l^*ux < +Qx 3 + Ix^+lx 1 + G*° 
Ox 7 +ftx* + Obc 5 + CU 4 + : Lr + Jjt 2 + 0c\ -hix 0 




... . 



r>x 7 +fex*+ 1 x 5 + Ox 4 + Ix 5 + GV 1 * Ix 1 + tx° 



inhere is u s.htm cul - k**!* 5 ^ uncommon tcmii and delete the 
words, _r\ x 3 .x. and 1 arc kept and which is common in the two polyrw 




on leans. In drier 
s. is deleted. 



Example 4,18 

There is also another short cut Bccan.sc ihe addition in GF(2) mean* nV cxdi^SL^e-or {XOR) 
opcmtioit So we can exclusivc-or the two wottts. hits by bits, to get the result Iq^J*? previous 
example, x 5 + x is 001 001 10 and x 3 ^-x 1 * 1 is 00031 101 . Trie result is 001010f£or in poly- 
nomial notation x 5 + x 3 + x + L 

Additive identity The additive identity in a polynomial is a zeru polynomial (□ poly- 
nomial with all coefficients set to zero) because adding a rwlynomial with itself results 
in a zero polynomial. 

Additive Inverse The additive inverse of a polynomial with coefficients in GF<2) is 
the polynomial itself. This means that the subtraction operation is the same as the addi- 
tion operation. 



Add iti op and su h U-d r i i o n o i^tram nn poJ ? Tiiimiak aru ihe same (^fetation. 
• ~ ■ 

Multi^tion in polynomial is the sum of the multiplication of each term of the finst 
polytinm^P^lh each term of the second polynomial. However, we need to remember 
three pointTFirst the coefficient multiplication is done in GH2). Second, multiplying 

by * 7 5& 1 ThinJ - lhc n,ul, 'P lb[ion ^ crealc terms with degree more than 
i t. which ihc result need* to be reduced using a modulus polvm>mi«|. We hrst 

show how to nMTjBly two polynomials according lo the above dclinition. Liter wc will 
see a more Afhac^iWorithm that can be used by a computer program. 

f. i nm/ttr ■(.!</ 

Find ihc rcuh w f + $ ^AA,),, CR2«» whh ured«*bfe polynomial 

. V + j 4 1). Notfjhai wt use [h f sym t„,| ® t „ thc m „|<iplicaiion u f iw„ 
polynomials. ' 

-Solution O 

Wc f,m mul.iply dw two polytvtm^U we hi,* learnt ,□ «|*ch«. Note thai , n d™ pn^s, a 
pair of Icm* wjth equal power of* srv^ied. For caample, 4» + 4 ' ix tolaliy ,te|ctcd Ix-Lauu- die 



P, 0P ; - f* J1 + x' 4^rnod^ + , ^ * x* fi + 

To find the final result, divide the polynwmayS^y^ 12 by the polynomial of degree 8 
Idie modulus) and kx? only the remainder The proc&J k.he * »« have learned in 
bra, but wcmhIu, remember [hat subtracuon a ihc ssitf® addition here. Figure 4.10 draws it* 
pnxras of drvisirm. ^\ 

— ^ 

igure 4.10 Pbtywtimal dh'tsum with ^efficients in GF(2) 




V p I 



* i - 



Multiplicative Identity The multiplicative identity is always 1 . For example, iti GW2*) 
ihe multiplicative inverse is thc bit paiiem OtXXXXX) ! 




CHAPTER 4 M.WHkMA TICS OF CRYPTOGRAPHY 



inve 



Multiplicative Inverse Finding the multiplicative inverse is a little more involved. 
The extended Euclidean algorithm must be applied to [he modulus, and ihe polynomial. 
The process is W^ejJy the same as for integers. 

lixtifttpk 4.20 9). 

In t;K(A find i)icHiv)Q..ftjr 1 + 1) modulo *x+D- 

<s>- 

Kolii Lion /V\ 

Wt- use tlw dxtcmJcJ EucbdVi^lgorilhjTi ** in Tobte 4_5: 



fjr * je + l) 




1* 1 


L . i 








'"■ 1 — 



This means that (j 2 + 1 > H modulo (** + ) U + * + 1 > The ^« cm, be ewil> 
piuved by mulnplyioB ine two polynomials and fH^ihe remainder when the «*uli »» d.vtJed 

by the modulus- 

V 

ij I ; ;.• " • ICi** +i + 1 J] mod 
Example 4 JI 

Tn GF(2 a ) b find the invcrcc of I* 5 ) modulo (a* + x* J 3 + x+ 

Solution ^ 

Use the tended Euclidean algorithm as shown in Tabte 4.6: 



1hb le 4-6 Eudidtfjm d^onihrnfor Emmple 4.2$ 





ti 4 * * 1) 



tl) 



U 1 * 



<1) 




ms nKiiiis that (iY 1 modulo <** + 1 4 + x * I) b <** + * r* + *). The answer can be 
easily proved by muldplyin^ ih« two polynomial* and finding the xerrumdef when the result is 
divided by the modulus. 



SECTION 4. 2 VF(3T f FIELDS 1 13 











■ ) @ 1 


fx ±x 


■t x 3 +- jr)J mode u 8 j 4 
















1~ JL 1 


4*-x- 



11 



Multtpifyption Using Computer 

Bccausi^ the division operation, there is an efficiency problem involved in writing 
a program^multipiy two polynomials The computer implementation uses a better 
algiHiihm, YoMAiedly multiplying a reduced polynomial by x. For sample, instead 
of finding tli^ifiiuh of (x* ® Pj), the program finds the result of <* « p z », The 
benefit of thisS%c K y will be discussed shortly, but first let us use an example to 
show the ptocessTJ 

Exampic 4.22 O 

P«id ihc result l.I muMp]{£W, = r 2 + by P a - U 1 + j* + JC 3 + r 3 + *| in GIP*) with 

Si-jLljlJuji > 

The procw b thuwn in Table 4. * V 
and jt 1 hy P 2 . Note Out a! though 
0 to 5 because each calrulaticm <lcpe 




tint find the pania] result of mulsiplyin^ 4°, j 1 , j 2 , jr\ 
tenia atc needed, the product of ® P 2 fur fmna 
n Ehr pre>-ifn» result. 



I j p l> ] e 4,7 An *JSc cif/i; algoni)un for nulnpUeation fttftg polynomials iKxamffic 4 22 ) 

33 



r 8 



x 1 ® p 2 



x 4 ® p 2 



- 



+ jT +■ j + ] j 



4 11 



<Q* 1 + x 2 + J 




Reduction 



No 



O 

The above aJgonthm has two benefits. First, multipfica@i of a polynomial by # 
can be easily achieved by one-bit shifting of the n-bit word; alteration provided by 
common programming languages. Second, the result needed to <6e reduced oniy if the 
polynomial maximum power is n - L In this case" reduction ran be easily done by an 
XOR operation with the modulus because (be highest power in the result is only 8. We 
can then design a simple algorithm to find each partial result: 

b If the most significant bit of the previous result is 0. just shift the previous result 
one bit to the left 

2. [f the most significant bit of the previous result is 1 . 

a. shift it one bit \o the left, and 

b. exe1usive-<jr it with the modulus without the most significant hu 



CHAPTER 4 MAT 




\T1CS OF CRYPTOGRAPHY 



Example 4 
RqKLit I -sample using bil patterns of size ft 

Wc Ii.Lvc V i = I TOM I SO.inoduto^ 1CXMJ 1010 (nine bis) We show the exriittr* 

of operation bv ffl. Sec Tabic 4 Et 

Tiihlc 4.8 4n c^urni atx<fityn for muUiphcasUm using thbit want* - 
i i — i — > ■ 1 ,,| ™ ,m " 



Solution 



/' <& P 3 



j? a i*2 



i 3 » Pi 



^ 

001 1 1 100 \) 



loointo 



utontou 



toon ion 



oni i iooo V 1001 1 icw) SioqonoiO)*ooiuomi 




In this case, wc need Duly five shift-left or*J*r)ous and foui cluaive-or operations 
Lit multiply the two polynomials. In general, 3 nwimutn of /i - 1 shi it-left opera- 
lions and 2n exclusive-or operations are need^to multiply two polynomial ot 
decree it - L 



\] i triplication or polytwimiak In GFC?) can be ar 

exdusive-or opcmtioiiv. 




using shifMeft and 



Example 4,23 



O 



Tbc QPC^) field has R elements. We use the inducible polynomial (j^j 2 * I) and ahow the 
addition uid multiplicaiioo tables foe ihis field. Wc show both 3-bil words an<J the polynomials- 
Note that ihete arc two irreducible polynromiais for degree 3. The other un%, 0j + i +■ I >, yields a 
totally different table for niuliipliralitMi. Table 4.9 show* addition. Tbc sha^boxes easily give 
us Lb e additive inverses, pairs. ^) 

Table 4_10 shows multiplication. The shaded boxes easily give us ^ multiplica- 
tive inveree pairs. * 



Using a Generator 

Sometime it is easier to define the elements of the GF(2 n l Held usinc a generator In 
this field with the irreducible polynomial fix), an element in the field, s. must satisfy 
the relation f{a) = 0. In particular, if g is a generator of the field, then fig) - 0. It can be 
proved that the elements of the field can be generated as 

l0^ tJl # a .„^),*bcreN = 2 B -2 



^£bk 4,9 Addition tabU far GFfl 3 } 



SECTION 4.2 GFfFjFIEWS US 



I LO LI I 




T«hJr 4J0 toulHplvaiwn mbtt fv&t? ') with frnrdmihU pei^u^Ut' + ^ 4 j , 

(^)on 



J! 



0Q0 

CO) 

(103 

0) 
(J HI 

on 

100 
101 

* I) 
111 



dim 
<1) 



ago 

(0) 



000 

<0J 



ft)0 



ooo 

<0) 



m 



QlQ 




u 2 ) 



J 01 

<* 3 *■ I) 



000 



DO0 
(0) 



000 

(O) 



000 
(0> 



CO) 



Oil 

<X + 1) 



103 

t* 2 * i) 



no 



12 0 



10] 



000 
1.0. 



UJL x-v i ■ 

■To v^iuj 



lot 



no m 



CO) 



103 

U 3 + 1) 



111 



00 i 



III 



111 
Cr^x+li 



on 



010 

(J) 



III 



too 




QJO 



■El >K on 



01 [ 



010 

W 



no 



I to 



001 

m 



in 



010 



LKi 
IfifoJ 



001 



100 



on 



(MX) 



in 

(x 3 +x t r 



on 

Ce + L> 



LUO 



no 



00 1 

CO 



101 



101 
{x 2 * j) 



030 
to 



Example 4,25 

Gcnemc the d™* of the field GF(2 4 ) i*ni£ the fettfet&te polyrramkl /fr) ^ T * + * + , . 
Solution 

n& ul :>. I . , . <sn j , < tow ts n(J d«j fOT poiy,,^ djviii(m) Bc^tnbj 4 ,W K h > which 
though ^ to be dmdad **** polyno™!. T^void tlf c 



CHAPTER 4 kiATH&tATICS OF CRYPTOGRAPHY 

division. Ehs^uori f{gi = £ * + $ + 1 = 0 can he med. Using &m re^MJi w 
Because in Ous ficid addition and interaction are the same operation, g 
ivlmion tv> find irtwAlue of all ttements as 4-bit wefds: 



■ • * ' i • < 

0 ft D 



- g + 1. We use This 



i 

i 





(OflOO) . 
(OGOlj 




JL" fjC ] 



J, 1 Uf . J. 



T llj L L C 

71010) . 

'fi'nw 
i(iii-uj 



[lie muin idea ia lu tcdnDc tcrmi jf* to A 14 lo a earn 
relation g* - & + 1. WsrcAiiupk, 



j^uon wf the term* I . g. g 2 , *nd &\ I***! 



if 




■ 

/i-bit wofd. Put example* g l + ! is 
Note Chat i^o equal [erms umttl 



A liu- the rrductipn, it i± easy lo iranifoim die powers m 
equivalent 10 100! . because only ihc powers 0 »nd 3 are 
enth nttker in this process. For example, jf + jr = 0. 

Inverses \§\ 
Finding inverses using the above representation is simple .^^f^) 

, O 

Additive Inverses /\ 
The additive inverse of each element is the clement itself becau£ addition and subtrac- 
tion in this field are the same: -$ 3 = g 3 • ^ 

Multiplicative Inverses Q 

finding the multiplicative inverse of each element is also very simple, i^example, we 

can find the multiplicative inverse of g 3 as shown below; < 




■MB 

Note that the exponents are calculated modulo 2* - 1. 15 in this case Therefore, the 
exponent -3 mod 1 5 = 12 mod 1 5. It can be easily proved that and g - are inverses of 
each other because r 3 x g 12 - g ] 5 = £° = 1 

The four operations denned for the field can also be performed using this representation. 




I -+fOIH) 



^ SECTION 4 J RECOMMENDED READIN G 117 

^2 Addition und Subtraction 

# Addition and subtraction are the same operation. The intermediate results can be sim- 
^ijsicd as shown in the following example. 

Tht^^lraving stow the results pf addition and subtraction operations: 

and DivLuort 

Multiplicati^^«Sdilionof powcra modulo 2" - I Division is multiplication using 
the riiiiltip]3ca\(veinversc 

Hid iDltcvwing *how 



Ii of muliiplimtiufi and division upemtions: 

Summary ^ 

The fijiite field GF(2") can l(^Wd to define four operations of addition, subtraction, 
multiplication and division o^n-bu words. The only restriction ia that division by 
aero is aot defined Each n-bit word can also he represented as polynomial of decree 
n - 1 with coefficient* in GF(2) + whj^b means tbtt the operations on rt-bil words arc the 
same as the operations on this rx>iyoWaI To make it modular, wc need So define an 
irreducible polynomial of degree n *<Ken we multiply two polynomials. The extended 
Euclidean algorithm can be applied to @fcmornials to find the multiplicative inverses 

& - 

43 RECOMMENDED READING 

The following books and Web sites provide more-details about subjects discussed in this 
chapter. The items enclosed m brackets refer to uie-fefcreria: list at the end of the book. 

Books 

[Dur051. [Ros06] r [BiaCB], [BWOO], and [DHWJ discu^jgebnuc structures thoroughly. 

WebSites O. 

The following websites give more information about topicWiscussed in this chapter. 




l^://eA.wikipc& 

btip;//ww^iMuijnu^ 3~XX, 
htfp://www,a>^miih^ 



CHA PTER 4 MATHmfcfiCS OF CRYPTOGRAPH Y 




4,4 KEY TERMS 

abelian group 
a Igcbraic structure 
associativity 
closure 

commutative group 
cumitiUUUive ring 
ctimmuiaiivily 
composition 

cyclic group 
cyclic subgroup 

dittithulivLly 
existence ut identity 
existence of inverse 



field 

unite 
finite group 
Galois fie It I 
group 

irrcdticible polynomial 
Lagrange's theorem 
order of an element 
order of a group 
permutation group 
polynomial 



®- 



4.5 

□ 



SUMMARY 



Lioo^lcli 



□ 



□ 



□ 

□ 

□ 



J 



Cryptography requires sets and specific op^aUn^dejined <m those sets, Ine eom- 
bi nation of the set and the operations applied toVfetnents of the set is called an 
.ik-L-bi^ic struciurc Three algebraic structures wf Ontroduccd id this chapter: 
groups, rings, and fields. 

A group is an algebraic struciure with a binary operatr^shown as that satisfies 
four properties: closure, associativity, existence of iu^jiy, and existence ul 
inverse. A commutative group, also called an abclian group, is-* group in which the: 
operator satisfies an estra property : coramutarivky, 

A subset H of a group G is a subgroup of G if EE itself is a group with respect to the 
operation on G. If a subgroup of a group can be generated usinf the power of an 
element, the subgroup is called the cyclic subgroup. A cyclic grou£i^ a group that 
is its own cyclic subgroup, Q 
Lagrange"* theorem relates the order of a group to the order of its sub^Jmip. If die 
order of G and H are IGI and M, respectively, then* iHl divides iGl. * 
The order of an element a in a group is the smallest positive integer n such that cP - e 
A ring is an algebraic structure with two operations. The first operation needs to 
satisfy all live properties required for an abelian group. The second operation 
needs to satisfy only the first two. In addition, the second operation must be 
distributed over the first A commutative ring is a ring in which the commutative 
property is also satisfied for the second the operation. 

A field is a commutative ring in which the second operation satisfies all five prop- 
erties defined for the first operation Hcept thai the identity of the first operation 



SECTION 4.6 PRACTICE SET 110 



has no inverse, A finite field, also called a Galois field, is a field with /j* elements, 
where p U a prime and it is a positive integer. GFl// 1 ) fields are used to allow 
<r\ operations on n-bil words in cryptography. 

^polynomials with coefficients in GF(2) are used to represent n-bit words. Addition 
v^and multiplication on «-bil words can be defined as addition and multiplication of 

^ S *rSL mC * il S ****** l ° <fcfin * clcTncilt5 pf ^ GF [2 n ) field using a generator 
II ' ^Wcncrator of the field, then = 0. Finding invcr«!$ and performing oper- 
ationjQyi the elements oT the field become simpler when the elements are repre- 
sented *<^c powers of the generator. 




CE SET 



Kevifw Questiwb 



1, Define an algebraic j^ucture and list threw algebraic structures discussed in (Jus 
chapter. ^ > 

2 I >c line a jiroup and disW^ish between a group and a commutative group. 

3. Define a ring and dirt in^i-di between a ring and a commutative ring. 

4. Define a field and distingukV between an infinite field and a finite lick! 

% Show the number of ck' mentis 1 rrUiaiois fields in terms of a prime number. 

6. Give one example of a group ukaga set of residues. 

7, Give one example of a ring u-sing^a set of residues. 

5. Give one example of a field using fit of residues, 

9. Show how a polynomial can reprrsrinW^n-bit word 

10. I Jetine an irreducible polynomial. 




1 1 - For the group G = <Z 4 , +>: 

a_ Prove thai it is an abclian group. * 

b. Show the result of 3 + 2 and 3-2. }>-\ 

12. For the group G = <2^* T x>: ^> 

a. Prove that it is an abelian group. 

b. Show die result of 5x1 and 1 5. 

c. Show that why we should not worry about dj vision by zero in this group. 

13. Only one operation was defined for the group in Table 4.1. Assume that this opera- 
tion is addition. Show the table for the subtraction operation (die inverse operation). 

14. Prove that the permutation group in Table 4.2 is not commutative. 

15. Partially prove that the permutation group in Table 4.2 satisfies associativity by 
giving a few cases, 

1 6. Create a permutation table for two input* and two outputs similar lo Table 4.2. 



a. G - <^3Ki +> 



CHAPTER 4 .VW THE^mcS OF CRYPTOGRAPHY 

% 

17, Alice uses tXrbe consecutive permutations [1 3 2]> [3 2 I], and [2 1 3]. Show 
how Bob can«isc only one permutation lo reverse ihe process. Use Table 4.2. 

18, Find all subgrti^ of the following groups: 

a. G=<Z l& ,+>*p 

h G - <%i^ +> 

c. G = <Z|£*< jo vp 

d. G = *Z l7 * b >o (^) 

19, Using Lagrange's theore^find the order* of all the potential subgroups of the 
following groups: 

2D. Find the orders of all elements in thCfollgwing groups: 
u. G^<Z fti +> J< 

b. (i = <7^ r C\ 

c. G = <5^*i x> vV 
& G ^<Z 7 * t x> O 

21 . Redo Example 4.25 using the irreducible polyoma! f(x) m x 4 + + L 

22. Redo Example 4.26 using the inequable polynojjual/t*) = + j 1 + I . 

23. Redo Example 4.27 using the irreducible potyiwrtrfah/U) " J 4 Jt 3 + 1. 

24. Which of ihe following is a valid Galois field? 
a. GFU2) Q 
h. GF(B) O 
c GF(16) V> To y 
d GF<17) ^ 

25. For each of the following n-bit words, find the polyTiomiaJ thai cesresent thai word: 

a. L0010 X 

b. 10 ^ 

c. 100001 * 
d_ D001I \^ 

WdJS. 

b. ^+1 uiGF(2-) 



26- Find the ra-bit word that is represented by each of the following poly no 
a_ jt + I in GF(2*) 



c. + 1 inGFQ 3 } 

d. x 1 in GF(2 a ) 

27, Tn the field GF(7). find the result of 
a, 5 + 3 

bL 5-4 

c. S x 3 

d, 5 + 3 



SECTION 4,6 PRACTICE SET 121 

S 23, Prove thai (x) and (x + L ) are im&dcciblc polynomial* pf degree 1 . 
29. Prove that (x 2 + jc + t) is an irreducible polynomials of degree 2. 
^0. Prove Rhal (x 3 + je 2 -f 1 ) i 5 an imdtitibte polynomials of degree 3. 
Multiply the following n-bit words using polynomial 
vlviL Ul)x(lO) 
\W(iOlD)x(1000j 
^411100) x(lQOOO) 

32. F^tiie multiplicative invme of the following polynomials in- QV(2 2 ). Note that 
ihc^j^only one modultis for this field, 

a. 1 

h, x \. 

31. Use the extend Euclidean algorithm to find the inverse of (i 4 + jk 3 + I) in GF(2 5 ) 
uNinj; the nKxK^IUs (r 5 + r 2 + I), 

V * 



34. Creaic a table fc^dUition and multiplication for OF£2*>. using (* 4 + + 1) a* the 
modulus. r\ 



35. Lining Tabic 4. U). pqj^mi ihe following operations; 
B. (100) +£010) A 

b. (100) + £000) (V) 

c. (101)* (Oil) 

d. (00O> + <|||) \^ 

36. Show how to multiply (x* +r^A I J by (x 2 + 1 ) in GF£2 4 ) using ihc algorithm in 
Tabic 4.7. Use + x 3 + 1) as Aodulus. 

37. Show how to multiply (10101 pw-j 10000) m GF(2 S ) using the algorithm in 
Table 4.8. Use (x 5 + j 2 + I) as m J 



o 




'uction to Modern 




Symt$}etric-Key Ciphers 



OhfvciivefQ 

fhis chapter has ^cral objectives: 

Q To distinguish ^iwecn traditional and modem syninietric-key ciphers. 

□ To introduce motfetn block ciphers and discuss their characteristics. 

□ To explain why mQkn\ block ciphers need to be designed as .substi 
tution ciphers. C 

U To introduce componc/S of block ciphers such as P-boxc& and S -boxes. 

□ To discuss priniuct cipRcrg^and distinguish between two classes of 
product ciphers: Feistel amr iKin-Feistel ciphers, 

□ To discuss two kinds of macks particularly designed for modern 
block ciphers: differential aruHioear crypianalysis, 

□ To introduce stream ciphers aMjjw distinguish between synchronous 
and nonsynchronous stream cipK^^ 

□ To discuss linear and nonlinear f^djmck shift registers for imple- 
menting stream ciphers. ^\ 

The traditional symmetric-key ciphers that wc have studied so far are 
character-oriented ciphers* With the adver^f the computer, we need 
bit-oriented ciphers. This is because the information to he encrypted is 
not just text; it can also consist of numbers, graphics, audio, and video 
data. It is convenient to convert these types of datfa into a stream of bits, 
to encrypt the stream, and then to send the encrypted stream In addition, 
when text is treated at the bit level, each character is replaced by 8 (or 16) 
hits, which means that the number of symbols becomes 8 (or 16) times 
larger. Mixing a larger number of symbols increases security. 



123 



CHAPTER 5 INTR&jgSjCllGN TO MODERN SYMMETRIC-KEY CIPHERS 



This cHStrter provides the necessary background for the study of the 
modem block and stream ciphers discussed in the next three chapters. 
Most of this cli^tex is devoted to discussion of the general ideas behind 
modem block cMlers; a small part is dedicated to discussion of the prin- 
ciples of modern J^^m ciphers, 

3^ 



5.1 MODERN H^OCK CIPHERS 




A symmetric key mfidcrn bloc* cipher encrypt* an n-bii block of plaintext or ttecrypts 
an fj-bit block of ciphcrfcxt. TheYncryption or decryption algorithm uses .1 k-hh Ley. The 
decryption Lil^ionthrn must be the lYj^brse of (he encryption algorithm, and both operations 
must use tlte same secret key so that 1^ can rerncve the nKssage sent by Alice. Figure 5, 1 
shows the general idea of Cflcryptmn ar^tetrypiion in .i modern hlock cipher, 







1 




Encryption 


r* 









t-hil key 



n-tril plaintext 

~~r~ 



Decryption 



i 4 


i 












1 







: ^ 

If the message has fewer than n bits, padding must bc>tf^3)d to make it an /i-bit 
block; if the message lias more than n bits, it should be divided ir^fS^n-bit blocks and the 
appropriate, padding must be added to the last block if necessary. 'pQ common values 
for n are 64, 128, 256, or 5 12 bits. 



Example Xl ^\ 

How many padding bits must be added to a message- of 100 characters if 33-bit A©U Is ased for 
encoding and the block cipher accepts blocks of 64 biis? 

Solution 

Encoding 10U characters asing 8 bit ASCR results in an 800-brt message. The p[ajnre*L must be 
divisible by 64. If |M| and [Pad] are the length of ihe message and the length of the padding, 



I IS 




0 mod 64. 



[Pbdl = - 300 mod 6? 




fins ikjcaus Lhrrf yi hits of padding (for example, OVl need to be added lo the message- The plain- 
text then consists nf H32 bits or thirteen 64-bit blocks. Note that only the last block contains pad- 
ding. The cipher Um.^ ihc L-ncryptatjn algorithm thirteen tunes to create thirteen ciphcrtc* t blocks. 



> 



SECTION 5 i MODERN BLOCK CIPHERS US 

^iiuhsiitlltioii or Transposition 

A modern block cipher can be designed to act as a substitution cipher or a transposition 
cif$^This is the same idea as is used uo tradiEitinal ciphers, except that the symbols to 
be strf^lihiied or transposed are bits instead of characters. 

cipher is designed as a substitution cipher, a I -bit or a 0-bil in the plaintext can 
be rcpla^Pby cither a 0 or a I This means that Die plaintext and the ciphcrtcxt can have 
a differeni^mber of I s A plaintext block of 12 0 T $ and 52 Fs can be encrypted 
to n. dphcrk-M of 34 O's and 30 1 V IF the cipher is designed as a transposition cipher, the 
bits are only (j^idcred < transposed): then? is the same number of l"s in the plaintext rind 
in i he cipheni*£)In ruber case, (he number of >r-bil possible plaintexts or ciphcrtexU 
is because cSch^rf the n bits in the block c^in have one of the two valuer, 0 or I . 

Modem bNiJk^amhcT* arc designed as AUbstitutinn ciphers became the inherent 
chiinicterifitics of trWsDositioii (preserving the number of Vs or D's) makes the cipher 
vulnerable to eihaiisfiye^urch aitacks, as the next example shows. 

Example 5*2 ^> # 

Suppnu: ihat wc have a tttfek ^rf&cf where n m M. If there tut 10 1a in uic dphcrtext. how many 
tnwf -and -error teas does Fve ncc^ti du to recover ihc plain L^xt from the intercepted ctphcrtexl in 
each of the following cmev"* 

a. The cipher is designed *u MubttJtution cipher, 

b. The cipher ii designed a* a ti^lpofilioe cipher. 

Solution • > 

4. Ill the finu case (subttitutionj, iftcJias no idea ho^v m_mj t\ .in-, m the plaintext, live 
rvocds to try all potable 2^ 64-bil Uittka to find ant irutf makes sense, tf Eve could try 
] bdhoti b I neks per second, it would ■ytJlt ukc hundreds of years, on average , before she 
could he successful. 

b. In the second aac (transposition], EveNtffjSVs chm ihcre are exactly I D I '<, in [lit plain- 
text, because transposition doe* no< dw^ULfic number of Ts (or 0 + s) in the riphcrtcxt. 



Eve can launch an exhaustive-search aJLa^Tym^ rmlv rhuvc t> \ bis blocks Eh-it have 
exactly 10 T*. There are only (641)/ UtO!) (5*t)J = 151,473214,816 out of 2^ M-bil 
word* thai have cxacdy 10 Ts. Eve can test all mti*m in less than 3 minute* if she can 
do 1 billion tests per second. \ 



Tn be resistant to eihau^tivc-^e^rch attack, a moden^lfjoek dphec needs lo be 

designed as a substitution ciphenr^v 

Ciphers as Permutation Groups 

As we \\-}}\ see in later chapters, we need to know whether a modern block cipher' is a 
proup tsee Chapter 4). To answer this question, first assume that the key is long enough 
lo choose every possible mapping from the input to the output, Call this a full size key 
cipher. In practice, howevcr T the key is smaller: only some mappings from the input lo 
the output arc possihSc. Although a block cipher needs to have a key that is a secret 
between the sender and the receiver, their are also keyless components that are used 
inside a cipher. 



CHAPTER 5 



UCTION TO MODERS S YJtf METRIC- KEJ' CIPHERS 



Although full-sLat key ciphers arc not uwd in practice, we first discuss this category to 
make the disciissiWaf partial- size key cipher understandable. 

Full-Size Key Traltepysition Block Ciphers A full size key traiisptmpon cipher only 
transposes bits withflFm^jiin^iiig their valuers, so it can be modeled as an n -object per- 
mutation with a set o^fljDcnriutation tables in which the key de lines which labte is 
iisi-tl : :-y Alice ;mc! HnlQ&v mc-i m Wavc n' po\sib!i: [hi: U'v --hould have 

flogs, n ! 1 ^ (S) 

Sh<™ ifoc tinMJ. l :ih.i ihr «i of pmi^rt^Lpn wblcs fot a 3-bn bttvL 1 runs position cipher where the 
Mock mjx ^ Ti bn-i >r 

Solution ^ 

i'hc .ri nr |>rrmiiiiiiion tables, hu 31 = ^cIejuchia, n shown in Figure 5-2- The key *huuld be 
ri£^ 2 6j = 3 bite long Moir ihai. though a^Wkey cm sele*rt 2* - K differed uupping*. we use 
only 6 of tlicin 

. 4, - 

Figure 5.2 A tiunxptixtiwn Mod cipher mt.*d*tktf as a pt\ 



Rxampte 5 T J 



tnuispcrtitiiM tiphcx 



A- 



o 



Key i3 biu> 



S 



j[i r:u: l y t '[is ini l [? : i|j~(p 



O 

I "'utt-Siit Key Substitution Block Gpbers A full-size key substilM© cipher does 
noE transpose bits: ii substitutes bits. At llest glance T it appears that a fu]S^siz£^ib r substitu- 
tion cipher cannue be modeled as a permutation. However* we can model Ebe^substitution 
cipher as a permutation ii" we can decode the input and encode the ouipuL Decoding 
means tewisfonning an n-bit lrtrgtr inlo a 2"-bLt suing with only a single I and 2" - 1 G T s. 
The position of the single 1 is the value of the integer, in which the positions range 
from 0 to 2 n — 1. Encoding is the reverse process. Because the new input and output 
have always a single 1 . the cipher can be modeled as a permutation of 2"! objects. 

Example 5,4 

Shnw ibe model .md the sei uf permutauori tables for a 3-bit block subsurution cipher. 



SSCT70N 5. i MODERN BLOCK CIPHERS 1 27 

s 

£ Solution 

^ ihret-Lnput plaintext can be m integer rxtfween 0 to 7. This, can be decocted as an H-hit string 
• *fth a single I . For mmple. 000 can be decoded as 00000001 J 0 1 can be decoded as 00 1 00000. 
5.3 show* the model and ihc set of permutatjon tables. Note that the number of dements 
irvdfe set is much bigger than the number of elements in me Eransposition cipher (8! m 40,320). 

is also much longer, I li >B2 403201 * 16 bib. Although a !<>bit key urn define dif 
fcrcn^rf^ings, onlv 40,320 are used 



FiRtire ^-^Sy Juhxtilmicm Mock riphrr model a a peTjmtiamm 



± 



AJ-fcntbtock 




[ 



i i * pry*! 



Vx3 
t'JKodcf 



Kt?y ( L& bin) 



2 3 4 j\j> 



A full-size key n--bii try reposition cipher or 
as a permutation, but their key size* are differs 

For A transput litm cipher, the key Is Tkig. nl\ biE^kwg, 
For a substitution cipher, the key ts Fk^ 2"Bl 




iiiuimn block cipher ran be modeled 



Permu ta tion { ? rou p The fact that a full -size key trafj 
a permutation shows thai, if encryption {or decryption} u 




tion or substitution cipher is 
than one stage of any of 

these ciphers, the resuJl is equivalent to a permutation groufC^dcr the composition oper- 
ation. As discussed in Chapter 4. two ur more cascaded permutations can be always 
replaced with a single permutation. This means that it is useless to have more (ban one 
stage of full-size key ciphers, because the effect is the same as having a single stage, 

Punial-Skr Kf\ Ciphers 

Actual ciphers cannot use full-size keys because the size of Uic key becomes so large, 
especially for a substitution block cipher. Fur example, a common substilution cipher is 
DES (sec Chapter 6} p which uses a 64-bu block cipher. If the designers of DBS had 



CHA PTER 5 tNTR(j&&C! r tQN TO MODERN SYMMETRIC-KEY CIPHERS 

used a lull-si^key, the key would have been log 2 <2* 4 t) 2 7D bits. The key size for 
DES is only 56 t»its, which is a very small fraction of she Full-size key. This means that 
DES uses only 2^j5jappings out of approximately 2^ * possible mappings. 

Term u luii nn Grudf^Now Ihc question is whether a multi-stage partial-key trans- 
posilion or substitutions u permutation grojp tinder Lhc composition operation. This 
question is extremely ir^iflmlant hccau.se it tells us whether a multi-slage version of the 
same cipher can he madctwniL'hievc more security {sec the discussion of multiple DES in 
Chapter 6). A partial-key oner i* a gioup if it is a subgroup of the corresponding full 
Size key cipher. In other wokM^it rh<- lull wtc key cipher makes a group G = <M, h>, 
where M is a set of mappings*^! the operation is the composition (•>). then the partial 
si^c key cipher musi make a su^^Tup H = c N, » > t where N is a subset of M and the 
4>}k-i ctlion is ihe same. 

l'or example, n has been piovetT (Juii the niiilti stage DES wilh a 56-bit key is not a 
group because no subgroup with 2*Miijppin£.s can l>e created from the corresponding 
group wilh 2 M ! mappings. 



A fiairtiBhltey cipher n a fcfiMjfs under diV rpfcii p+Kuiiun opL-nition If It is a subgroup 

nf the corresponding VtfvU?/ 1 key dphrr. 

^ 

Ktiytexs Ciphers ^ 

Although a keyless cipher is practically useless by v il*£lf. keyless ciphers are used as 
components of keyed ciphers. ^ \ 

Keyless I runspusitluii Ciphers A keyless (or uxe^b&v) Uanspostiion cipher (or 
unit) can be thought of as a prewired transposition cipheV4hen implemented in hard- 
ware. The tixed key (single pcrmutauon rale) can be- represented as a table when the 
unit is implemented in software. The next section of this Spaoter discusses keyless 
transposition ciphers, called P- boxes, which arc used as buft^g blocks of modern 
block ciphers, Q 

Keyless Substitution Ciphers A keyless tor fixed-key) substituted cipher for unit) 
can be thought of as a predefined mapping from the input to the ouiput # The mapping can 
be denned a_s a Uible, a mathemalical function, and so on. The next sectioirai' this chapter 
discusses keyless substitution ciphers, called S-boxe^ which are used as nuiiding blocks 
of modern block ciphers. 



Components of a Modem Block Cipher 

Modern block ciphers normally are keyed substitution ciphers in which die key allows 
only partial mappings from the possible inputs to die possible outputs. However, mod- 
ern block ciphers normally are not designed as a single uniL To provide the required 
properties of a modern block cipher, such as diffusion and confusion (discussed 
shortly ) m a modem block cipher is made of a combination of transposition units (called 
P-boxes), substitution units (called S-boiLsj, .in J some other units (discussed shortly). 



A. MODERN BLOCK CIPHERS 129 

% 

% A P-bo* (permutation box) parallels the traditional transposition cipher for characters, 
^ansposes bits. We can find three types of P-boxes in modem block ciphers" straight 

cm»™ M d co mpre «K», P*»«. , to . m ,, SW5 
V- 

4 f h rfff typcj ft/ P-boxts 






i i 




4 


5 












; 




3 




1 



MOfl 



A 3 * 



en 



s 




Figure 5.4 show* a 5 x 5 sti^ghiP-bo*, | 5 * 3 compression M.hix, and a 3 x 5 
expansion P-bo*. We will discuss oadCaf them m more detail. 

Straight P-Roxes A strftiRht P-Brt^with n inputs and n outputs is a permutation. 
There are n! possible mappings. Q 

Example 5.5 

shows ail 6 possible mappings of a 3 xjLP 




F igur e 5.5 77k possible mapping* &fa 3 x J p .^ * x \ 

12 3 



I 2 3 



"11 

t" r * t 





Although a P-bos can use a key to define one of the nl mappings. P- boxes are 
normally keyless, which means that the mapping is predetermined. If the P-box is 
implemented in hardware, it is prewired; if it is implemented in ^ftwarc. a pcnruJtaimn 
table show* the rule of mapping. In the second case, the entries in the table are the 
input* and the positions of the entries arc the outputs. Table 5 J shows an example of a 
straight permutation table when n is 64. 



CHAPTER 5 IKrriz&UCTlON TO SYMMETRIC- KT} r CIPHERS 

^Ifo h It 5. 1 FLu-imp}? of a fvrmiiLaiion table for a stmighi P-hox 



•5fi 50 42 3J 26 18 30 02 60 52 44 36 2» 2D 12 04 

^3^46 38 30 22 14 06 64 56 4$ 40 32 24 L6 03 

57y<^4l 33 25 17 09 01 59 51 43 35 27 19 II 03 

61 tf >ff> 37 29 21 13 05 63 55 47 ; 39 31 23 15 07 



Table 5.1 has 64 cjj^W corresponding to the 64 inputs. The position (index) of 
the entry corresponds tnQw? output. Because the first entry con Mn sis <hc number 5H h 
we know Hut the first outpi^omcs from the 58th inpuL Because the last entry is 7. wc 
know uHol the 64th outpui co^j from the 7sb input, ami so on 

V' 

Design an 8 x R pcrmutsirimi labte foe ■ vuc^hl P-bo* that movn the h>™ middk bite (bus -t And 5) 
in ihr input woid to (he two citcU (hii* Vap^ «) m the uuiput word*. Kclnuv* petition* of oiher 

I 'll-, -.SkhiKI r,u: K- L-Knupr l! \ 
S n | L L [ I I I I b x 

We need n wtniihitii V-ba* wnh ihc tabic [4 I n> w * 7 « >]. The relaiive poiiiioni of input 
hits l H 2, 3, ti, 7, and H have no* been changed. rust iKiipul lakes the fourth input and Die 

eighth output lakes the IjHh uipuL 

Compression P-lioxea A menp nesskm P-bdX (^ii p bos with n inputs and m output* 
where m < n. Some of the inputs arc blocked and do^ot reach the output (sec Figure 5.4) r 
The compression P-boxcs used in modern block eipb^Cnornially are keyless with a per- 
mutation table lowing the mJe for umsposwg bits \fe™*d to know that a pennumtion 
table for a compression P^box his m entries, but the torficnt of each entry ts from J to n 
with some missing vaJnes (those inputs that are blocked). QjALc 3.2 shows an example of 
u permutation table loi a 32 x 24 compression P^box Noteyi^inputs 7, S. 9, IS, 16, 2\. 
24. and 25 are blocked. fj\ 

la We 5.2 Example of a 32 X 24 permuiiincX^)ie 

,0 




Compression P-boxes are used whim we Deed to periiuite bits ancTT^c same time 
decrease the number of bits for the next stage, q »^Vr^ 

Expansion P Boxes An expansion P-box is a P box with n inpui^l^oulptiis 
where m>n. Some of die inputs arc connected to more than onefn^nsee Figure 5,4). 
The expansion P-boxes used io modem block ciphers normally are keyless, where a 
permutation table shows the rule for transposing bits. We need to know that a permuta- 
tion table for on expansion P-box has m entries, but m - n of the entries are repeated 
(those inputs mapped to more than one output). Table 5 3 shows an example of a per- 
mutation table for a 12 x 16 expansion P-box, Note that each of the inputs I t 3, 9, and 
12 is mapped to two outputs. 

Table S3 F-uzmpl* of a 12 X W permutation ttihie 



01 09 10 11 12 01 02 03 03 (W 0? 06 07 08 09 T2 



SECTIONS I MODERN BLOCK CIPHERS 131 



4, 



>li*pan S ion P-boxes are used when we need to permute bits and the same time 
Aftensase the number of bits for the next m^c 

SffigS . A ^ is This means that w e can use a straigh, P-bo* 

hn^37!!l? 5T md in ™ in deC, ^ on ^ ^ table,. 

■TfcST? ,nWrMS ° fCaCh In 3 " *«ES can make 

ihc t})\kpto\ a permuiauon tabic. 

Example 

Ptguir 5.6 .frS^, co invert « ^m Ut ^, uhle replied « , ^..i^nwl r*hk. 
Figure 5.6 /X 



I.Orijcimilt^hlq 



2 I 




1 ^.1|iL'n ElLl 

afttl indlCta 



VP 



3 



* 4 ~* 2 jj 2. Aft] Indices 



6 



* 2 J 



i 



I Son timed 
i mi indice*- 



J 4 



lavenedi uhlz 



, - Comptmion and expansion BLev have no .nver^s. tn a compression P-box 

™ injur can be dropped during encxfpd^; the decrypts algonthm doc, not have ■ 

V P- box. an input may be mapped to ^ re man one output during encryp.ion; the 

- -- <miput hJgrntr 5,7 tfcrooiiitnucs bcxh cases 

... f Cl — 



f j^ijg^ re 5.7 Camprrjision and e 



■ F . F J J 



ion ^-^w^^^trtvu-rri^fc components 



^5- 





CXiipiit 2 can 



a i1*fiaaiEc value 



I 



Not inverse*. 
■* — ± 



1 ^ 3 

.njiiiT | i* mopped r,rj output I tod 2 



■ i 

i i 

One Of Ihc two tnpun ( t or 2} 
cum^ Ix: ^cJ-TMleJ definitely 




CHA PTER 5 iNTRQ%#CnON TO MODERN SYMMETRIC KEY CIPHERS 

Figure 5,7^flfso showt that ii compression P-box is not The inverse ot an ex pans ion 
P-hux or vkc vcVsa. This means that if we use a compression P-box in the encryption 
cipher, we cannotjj^an expansion P-box in the decryption cipher; or vice versa. 
However, as will bc*£m>wn laler in This chapter, there are ciphers ill at use compression 
or expansion P-bu*c3«0jhe encryption cipher: the effects of these are canceled in sonic 
other ways in the det rvjJWn cipher. 

— ■ 4a n. 

A straight P-box i\ inveigh!*-, hut r'HiiprTS*km an J expari-i.m P-box ts are noL 



outputs is inrdctemnned. 



-0 . 

An S-box (substitution hnx i h^tnoujtht of as a mmtaturc substitution cipher. How- 
ever, an S-hox can have n different {L§Viber of inputs and outputs. In other words, ifcicr 
input to an S-box. couliJ Ik: an rrbit wcjftftbul the output can be an bit word, where m 
and n are not necessarily ihc same. Although an S-box can be keyed or keyless, modern 
block ciphers normally use keyless S-boXts^tfhwe the mapping from the inputs lo the 

-4 =r- 

An S^M)\ vanmXn suDStltaUun tinJt, w here m^id a arc nut necessarily tlir shiir*. 

I in ear Versus NuiilineHr Boxes En an S-box wnk£t input* and m outputs, we caJI 
the inputs T|. x n and the outputs y^ TrWr^uonsriip between the inputs 

iuid the outputs can be represented as a set of cquaiions\ 

?i = /t t*i ■ ^ — ■ J J /^N 
Id a linear S-rK»i, the above relations can be expressed as Q 



In a nonJinear S-box we cannot have the above relations for every output. 
Example 

In an S box wiih three inputs and two outputs, we have 



SECTIONS! MODERN BLOCK CIPHERS [33 



Abe S-bo* is linear because d M = a T-J = o, j * ^, =i and o 2J2 = = 0, The relationship can be 
4Eprescnie<l by matrices, a$ shown below: 



Itx im Shot £5rl|!hin?c input* And twi* uuethjk hiivc 

ft) 

where tnuLtipli^tn^nri iddition Is in <;F(2> The S-bo* tiunliticar hccniwc their u no |irie.-u 
rtlilinnihtp between Q^ennpuU nrni the output* 

hxmnplt. 5 JO /A 

The Hi I lowing table defines (^input/output rclaiioa&hip for ati S-bo* of itai 3 x 2, The icflmoM 
bn ol the inpui define*, the row>4$£ two nghlmcui biu of the input deline the eobinm Thr iwti 
output bus are vaJucs on the ci\s jpxium "fine selected rou ;nut column 




EiksttS on ihe table, an input of QlO yields ti* vj^t U L An input of 101 yields ihc output of 00. 

Invcrtihility S ooacs arc substitution ciphcT^^hkh the relationship between input 
and output h defined by a table cjt mathematic^N^tinn. An S-box may or may not be 
inverttble. Ln an invcniblc S-box T the number of i^t bits should be the same as the 
number of output bits. 

Exompl* 5JI • 

Figure 5.S shows an example or an invefiible S-box. One of tablCVu&ed in the encryption algo- 
rithm; the other table is used m the decryption algorithm, ln eacQible, the ieftmosl bit of the 
input Lie lines the row, ;he next rwo bits define the column. The outpiJ^K^h-c vjduc where the input 
row and column incci * 

For example, if the tnpui to the left box is 001 , the output is ttll . Trie input tOl in the nghJ 
lablc creates the output 00 1 4 which shows lhai the two tables are inverses of each other. 

£xcluxive-Qr 

An important component in most block ciphers is the exclusive*}* operation. As we 
discussed in Chapter 4. addition and subtraction operations in the GF(2 fl ) field are per- 
Fbrmol n\ n single operation railed the cxclusive-or (XOK). 



CHA PTF.fi 5 IWml&JCTfQN TO MODERN SYMMETRIC KEY CIPHERS 

X 



Figure X& S-htrx Sables for Fxnmpt* 5 // 




3 hl& 

A 





on 


; nt 1 I 


o 1 xi ; 


■ too 


no 




11 


(MX) 






m 


mo 



Tabic iihhI fur 

encryption %m 



'able Mted Ntt 



in^ijb 



Properties I he Jive properties ort>e; exclusive or operaiinn hi ihc t;i L (2 rt ) held 
makes thk operation a very interest! ii^coa\pniicn( for use in a block cipher. 

1. Clamm This property giiaraiitccsMh^i the result of exclusive oring two tt-bit 
words is another i-bil word. \ 

2. Associativity: "This pmpcrty allows us l^ti^ more than one c*ctu*ivc--or operator 
in any order. 



(y © i) 

3, CtmwwttitiYttv ITiis property aUows us 



(M^putN widvout Greeting, the output . 
x ^4 y ©i x q 

4. Btistence of ideality: The identity element for the cxiH^Xc-or operation is an it- bit 
word that consists of all O's, or (00... 0). This implics^i exclusive-oring of a 
word with the identity element does not change that wot^Q 

use this property' in the Feistel cipher discussed later tri this copter. 
Existence of inverse: In the GF(2") field, each word is the additive (mfcrse of i Lself 
This implies that exclusive-oring of a word with itself yields the idenl^ element 

x ©1=190 -ii) 



We also use this property in the Feistel cipher discussed later in this chapter. 

Complement The compleraeni operation is 3 unary operation (one input and one out- 
put) thai Hips each bit in a word. A 0-bsl ss changed to a I -bit' a 1 -bit is changed to a 
0-bit, We are interested in the complement operation in relation to (he exclusive-or 
operation, Tf jt is the complement of x> then the Following two relations hold: 



mid 



X ©[11...]) = J: 



SECTION 5.1 MODERN Bf JOCK CIPHERS 135 



4 



We also use thes* properties later in this chapter when 

some cr 



we discuss me security of 



In^** I7,c mverse of a component in a cipher makes sense if the compel repre- 

0PC T n 'T mpU ' a " d mK ' IJlUpUl) F ^ sample, a keyless P-bo* or B 
key kX^-bo* can he made mverlible because .hey have on, j„ P m atl J ime outpm An 

ma* ,en^ly ,f one of ,he input. lS fiwu ( ,s the same in encryption and decryption} 
h-r cM.nirfMrf, oue of the ...puts is ^ kev , whjch rtorni;tl]v ls tht . ^ ^ ^ *; 

and oecTyptu^thcn an exclusive^* operation is self invert. Me. as shown in Figure 5 «. 





l.tecryplHin 




iphers is the circular shift opera- 
circular left-shift operation shifts 



/ri Figure 5.9, [lie additive property implies [Jul 

We will use this properly then we^uss the structure of bIock c hcrs ^ , 
this chapter. n q 

Orciifar 5Af/f £k 

Another component found in some modern bf 
linn. Shifting can be to the left or Lo the right. 

each bit in an n-bit wd k positions .a the left; the &ost k bits are removed from the 
left and become the rightmost bite. The circular righ^ift operation shifts each bit in 
an «-bn word * positions to the right; the rightmost * hjts are removed from the riehi 
and become the leftmost bits. Figure 5.10 shows both lefrad right operations in ihe 
case where n = 8 and Jfc s 3. ^> 6 *® " c 

The circular shift operation mixes the bits in a word aQjjelps hide the patterns 
tn the ongma! word Although the number of positions to bV&ificd can be used as 
a key. the crcutar shift operation normaJly is keyless; the value of k is fixed and 
predetermined. 

Invcrlibility A circular Jeft-shift operation is the inverse of the circular right-shift 
operation. If one is used in the encryption c.pher, ihc o.hcr ean be used in the dec™- 
lion cipher. JK 

Property The circular shift operation has two properties that we need to be aware of. 
•in*, the shifting » modulo n h other *ords. if k = 0 or k = n. there is no shifting If * is 
larger than n. .hen .he .npi.t is shifted k mod n bits. Second, the circular shift opcral.on 



CHAPTEk 5 /jVTj 




rCTJOtf TO IlfODERN f METRIC- KE) r CIPHERS 



Figure 5 J ft fVrruinr jArtfui£ iin wnrri Efj ^ ^ or nj^/if 



fore shifting 




He fore thjFiing 



















► 

Shift 


bilsl 




— i — ? 

^ 2 J r 


Li2 






i 



Aftrr ihift* rjjjt 



under rhe competition £*fKT:ihon I^jntHip, This means thai shifting a word more than 
on re is the same as shifting it only owe 

'lire swap oporalinn is a snct ia! t rase of uj^irruLar shift operation where k - j?/2. This 
means i ins i-prmLiLPij w v^Iad only if n is an^cn numtwf Because left-shifting n/2 bits 
is she smiie as right- shifting n/2, this conipoftejflris; Mrif-invcrtiMc, A swap operation in 
ttir encryption cipher can he Loudly canceled bva swap operation in the decryption 
cipher, Figure 5. 1 1 shows the swapping opcrauo^Sfor an 8- bit word. 



Figure 5 J 1 AWp operation oh an &-bit wonl 



FiicrypijoB 





Decryption 



Split and Combine 



O 
O 



Two other operations found in some block ciphers are sptu and combj^^The split 
operation normally splits an n-bit word in the middle, creating two eqtfal-length 
words. The enmhine operation normally concatenates two e^uaJ-length words to 
create an n-bil word. These jwo operations are inverses of each other and can be used 
as a pair to cancel each other out. If one is- used in the encryption cipher, the other is 
used in the decryption cipher Figure 5J2 shows the two operations in the case 
where n =■ 8. 



Product Ciphers 

Shannon introduced the concept of a product cipher. A product cipher is *i complex cipher 
combining substitution, permulatiori and other pflnspunente discussed in previous sections. 



SECTION 5. 1 MODERN BLOCK CIPHERS 137 



Igtine 5,12 JpirJ and combine operations un on S-bit wprd 



>r Spin 



4 



58* 



00 



tiiKiyptiori 




fiustvn fin 
Shanno 



dcraNn^nnKln,,,^ (he product cipher was id enable (hi- block ciphers to 
have two jmjKmaVpropcniw; diffusion and confusion, The idea of difTtuston is to hide 
the relationship bcrt^ the riphwiriMnd ihr pfaigtcxt. This will ims-rsiic the sulver 
sary who use* yEb^l-ataito Diffusion implies that each 

symbol (ehjuncier or hi^Utf U>e ciphcrtatt b dependent on some or all symbols in rhc 
plaimexL In other word}, single s>inb. 5 ] m the plaintext is changed, scv^tf or all 
symbol., in the c j phencxi so be changed. 



miudon bid n the relkWhip bct*wi th e dphrrtexl and the plaintext 



pie idea of nnTiudun is tp l^dc tfic relationship between the aphermxr ru K l jh r 
key. This will frustrate the ^versar>j^ho tries to use the eiphertext to find the key. In 
-flitter words, if a single bit in the key ischanged. most or fflfliils m the dphertext v 
also be changed. \ 

' O 



1 



Confusion hides the rcJ*docAhi P \^rt^eefl tlu- riphtiteii »od Hie k*y 
^ 



Round* 



*6 



Diffusion and confusion can be achieved uringQcaicd product ciphers where each 
iteration ts a combination of S-boxes, P-boxi», ond^thcr components. Each iteration h 
referred to as a round. The block cipher uses a key^chedufe or key generator thai 
creates different keys for each round from the cipher tejr. In an AT-round cipher, the 
plaintext is encrypted AT times to create the ciphertcit>fcbe ciphcrtext is decrypted 
times to create the plaintext. We refer to the text creaW*t die intermediate levels 
{between two rounds) as the middle test. Figure 5.13 shovel simple product cipher 
with two rounds, Tn practice, product ciphers have more than two rounds. 
In Figure 5.13, three transformations happen at each round: 

a. The S-bit text is mixed with the key ta whiten the text [hick the bits using the key), 
This is normally done by exclusivc-oring the 8 -bit word with the 8-bit key. 

b. The outputs of the whitencr are organized into four 2-bit groups and are fed into 
four S-tnxcs. The values of bits are changed based on the structure of \ho. S-Ixnic* 
in this transformation. 

c Ihc outputs of 5- boxes are- passed through a P-box to permute the bits so thnl in 
the next round each box receive* different inpuLs. 



CHAPTER 5 INTROB&CnQN TO MODERN SYMMETRIC CIPHERS 

\ 



}mtfuct rip far mod* flf fHW minds 




□5 




1 




□ 



k 



«5 

e 



Diffusion The primitive design of Figure 5*13 shows how4^oduet with the combi- 
nation of S -boxes and P-bo^es can guarantee diffusion. Figuie^jU showt how chang- 
ing a single bit in the plaintext affects many bits in the cipherteJftO 

a. In iltc lirst round, bit 8. after being exclusive-oied with the cor^^onding bit of Kj t 
affects two biis (bits 7 and 8) through S-box 4. Bit 7 is pemuf&^Snd becomes bit 
r \; bn $ is permuted arid becomes bit 4 P After the first round, bit S Jtas affected bits 
2 and 4, In I he second round* bit 2+ after being exclusive-ored with the^eorrespond- 
ing bit of K 2 , alTccts two bits (bits 3 and 2) through S-box L Bit 1 es permuted and 
becomes bit 6; bit 2 is permuted and becomes bit 1. Bit 4, after being-egclusivc- 
ored with the corresponding bit in K^. affects biis 3 and 4. Bit 3 remains*© same: 

L ^_ m ^^^^^ r 

hii 4 k permuted and becomes bit 7. After the second round, bit S has affected 
hiis l, ?\ G, and?. 

b. Going through these steps in the other direction (from ciphertext to the plain- 
text) shows that each bit in the ciphertext is affected by several bits in the 
plaintext. 

Confusion l-igure. 5.14 also shows as how the confusion property can be achieved 
through the use of a product cipher. The four bits of cipbcnc.T?, hits I. 3. 6, and 7 P arc 
affected by three bits in the key (bit 8 in K| and bits 2 and 4 in Kn). Going through the 



SEiJUON 5. 1 MODERN BLOCK CIPHERS 1 39 




Jiru 5. 14 Diffuxirm and ctmfusion in a block cipher 



- - K i . bji & 




Meps in the other direction shows diaweadj bit in each round key affects several L>iu in 
the ciphenext. The reiauonship bctweei(^herKM bits and key hits is obscured. 

l*mclico) Ciphers To improve diffus l0 rtfm(i confusion, practical ciphers use larger 
dfta blocks, more S-boxes. and more roundJWith some thought, it can Iw seen that 
increasing the number of rounds using raor^bonos may create a better cipher in 
which the ciphenext Jooks more and more Likc^uidorn n-bit word. In this way, the 
relationship between ciphertext and plaintext is^wtyy hidden (diffusion). Increasing 
the number of rounds increases the number of roum^ys. which bener hides the rela- 
tionship between the cipberte.xt and the key. 



Two Classes of Product Ciphers 



Modern block ciphers are a]] product ciphers, but they are divided into two classes. The 
dphcra in die nrsi class use both invertible and noninvertible qafnponents. The ciphers 
in this class arc normally referred to as Feisiel ciphers. The bloc&iipher DES discussed 
in Chapter 6 is a good example of a FcLstel cipher. The ciphers in the second class use 
only invenibte components. We refer to ciphers m this class as non-Fcistel ciphers (for 
the lack of another name). The block cipher AES discussed in Chapter 7 is a good 
example of a non-Feistei cipher. 

Feistcl Ciphers 

Fcistel designed a very intelligent and interesting cipher thai has been used for decades. 
A Feistel cipher can have three types of components: sctf-invertiblc. invertible, and 



chapters mm 



rCTtON TO MODtRft i ; Vf METRIC- KEY CIPHERS 



nnninvEriiblcrA Fcistct cipher combines all noninvertible elements in a unit and uses 
the same unit tn the encryption and decryption aJgorithxns, The question is how the 
encryption and ljj£r\ptiai] algorithms are inverses of each other if each has a non- 
invcmble unit, Fet£tp showed that they can be canceled out. 

First Thought To {^er imdersiand the Kcistcl cipher, lei us see how we can use the 
same noninvertible coftmjfcncni in the encryption and decryption algorithms. The effects 
of a noninvcrfiblr comi^crit in the encryption aJgorilhin can he canceled in the 
decryption algonthm if wc/hbc an exclusive -or operation, as shown in Figure 5.15. 

V) 

I'ij^Ure 5*15 Wif first ihwiRhl t/\J^i.U€i t \phfr dtlififn 

_ _ 










0 > 














1 * 



0 

In (he encryption, a noninvertible function, /fK^ccepts ihe key as the input. The 
omput of this component is cxeluiivc-ored with ihe plaintext, The result becomes 
the ciphcrtcxt. Wc call the combination of the functi6{iand the exchjHive-or operation 
ihe mixer (for lack of another tsaine). The mixer p!ay(a^ important role in the later 
development of the Peistel cipher 

Because the key Li the same in encryption and deErypTifln, we can prove thai the 
two algorithm* are inverses of each other, tn other words, irT^j C. \ (no change in the 

liocryptioii: C, ^©/(K) O 



ciphertext during transmission), then Pj = Pj. 



Decryption: P 2 =^C 2 f(K) ^ $ t(K) - F, & /<K} =. Pt ■« i»- ■ 

Note that two properties of exciusive-or operation have been use^^idstence of 
inverse and existence of identity }. \s 

The above argument proves thai, although the mixer has a noninvertible element, 
the mixer Itself is self-invertible. 



Trie mixer in the Icstel design is self-inveruble* 

Example 5. 12 

This is a trivial example. The plaintext and ciphcrtcxt arc each 4 bits long and the key i* 3 bits, 
long. Assume that the function takes the and third bit* of the Ley, interprets tiiesetwo bits 



SECTIONS ! MODERN BLOCK CIPHERS J41 

d T n5fll T'T numbef ' 5,1,(1 inte n' rcte ** "»"Jt « * 4-bii binary pai.cn,. 

K IfljA W W,CryPtion ^ ^^'O ^ Original plaintext is Ql 1 1 flfl0 lhe key 



IS n 1 1 1 £ i ?VT 



Tl,e fuuurtf^t™* ,bc fir* and second bus to get H m binary or 1 m decimal Ihe result of 
■qiunnRis Vwjiirhn IPO I in hmnrv 

7i^S^: r = p © / (K> = 01 H © 1061 ^ 1 1 10 
ii-ii: 



ptJi 



C © / (K) = 1 1 10$ S00i : - ftl ( I 



" ,c fu f rH:, ' on in o-hMeflWji »nd decrypt ilgonu,™ It. other words, nV junction , 
vert i W r. !mi [lie mixer w ddtfnvmibk 

Improvement 



■■■■ I Hill III- 



oi . ■ W W™^;™ «r first thought to get closer to the Ixistel cipher. 

We know iim wc need u, use foejame input to the tioninvcrtiblc dement fthc iunetionl 
but we don't warn tn use only tJ^cv We want the input in the function to also he pun 
of the plaratcxt in the encryption <f£fti part of the ciphertcxt tn the decryption l he key 
can be used as the second tnpoi to iM^unctmri. In this way. our function can be a com- 
plex el e men I w l( Ji some key less clcmenis and some keyed elements. To iiehicvc this 
goal, di vide the plaintext ami the ciphcVjrf nun two equal - length blocks left and rich! 
We call the left block I. and the nght bWk jl. Let (he right block be the input to the 
(unction, and lei the left block be exclusi^ored with the function output We need to 
remember one important point: the inputs u(T)e function must be exactly the same in 
encryption and decryption.Tbis means that ther^ht section of plaintext in the enciyp- 
tion and the npht section of the Ciphertcxt in fc^yrypiion must be the same. In other 
words, the nght section must go into and coineNWpf the encryption and decryption 
processes unchanged. Figure 5, 16 shows the ideaT^' 

% 



f 1 igure 5. 16 Imprm^metxi of ike pminus Ftristel de. 





r, : 












r 


ij 

W 
—■ 


... , 


















P 







K 



K- 



o— 



~3" 



— r 



< — — K 



E^KrypticHi 



The encryption and decryption algorithms are still inverses of each other. Assume 
thai L, = L, and R 3 = R 2 (no change in the ciphertcxt during transmission). 



CHAPTER 5 



mDUCTfOS TO MODERN SYMMETRIC -KEY CIPHERS 



— 




- ' - Zr . - 





The plaintc^used in the encryption algorithm is correctly regenerated by the 
decryption a I goring 

Final H^icn Th e^Lccding improvement tu$ one flaw. The right half of ihc plain 
text never changes, E^ban immediately find the right half of the plaintext by inter- 
cepting the ctphcrtcat (fij)i ex trading the nght half of it. The design needs more 
improvement. First, incr^ait the number of rounds. Second, add a new dement to 
each round: a swapper Th^cjfrct of the swapper in the encryption round is canceled 
by she effect of (he swappcmnJhe decryption round However, is allows us to swap 
I lie left and right halves in c^iP round Figure 5.17 shows the new design with two 



mnn<K 



I'S jiii rv 5, 1 7 hnai ttrftgn of a Eti a tti \qf>h*r with two fiwuh 






r 




1 


F 




















Encryption 




Decryption 



Note thut there art two round keys, Kj and K 7 . The keys arc used in reverse order 
in the encryption and decryption. 

Because the two mixers are inverses of each other, and the swapper? are inverses of 
each other, it should be clear that the encryption and decryption ciphers arc inverses 
of each other However, let us see if we can prove this fact using the relationship 
between the left and right sections In each cipher. In other words, let us see if L*, = L. 



SECTION 5,1 MODERN BLOCK CIPHERS 143 

T^V R ': ^T' ng 11121 U = Lj 3,5(1 = R 3 < n ° Chan ^ ™ H*ciph Crteit during 
ifmsmissionj V>e first prove the equality for the middle texL 

= «4 ® ^ Kj) =K 3 <B /<R„ r K y = ®/{R 5 . K2 ) €>/<R 2( Ki) = L, : ; * 
Thci& easy id P mve thai the «jua]ity holds for lWD plaintcut blocks. 

Non-Feisttt CipltXh 

A non-J ,Ls,< f ciphVnses only .avertible compos A comport in the plaintext 
has (he conrcspomhnM^ncat m ihc cipher [or example, S-boxcs need to have an 
equal number nf ,np u i 5 <£rtd outputs to be compatible. No compression or expamton 
P-boxes « allowed, because they arc not .nvertible. In a non-Peistel cipher, there is 
no need to , divide the phu^fci i„,„ tw « halve* as we saw in the hostel ciphers, 
l-igurc 5,tt can be though, af^y non-J^tcl cipher because the only components in 
each round , JL - lhc exdusive-brWation (sclf-mvert.ble). 2 x 2 S-boxe* that can be 
designed to be .avertible, and aUhl P-box that j« .nvertible usm* the appropriate 
permutation table. Because** QA.,*met.t , a mvertible. « can be shown t hut each 
round JS ,nv c n.blc. We only need to u*c ihj ruund keys in the reverse order. The eticrvn- 
lion uses round key, K, and K : The A^fpbtm aJgorithm need, to use round keys K, 
and Kl. y 

X 
O 

Attacks on Block Ciphers a 

Attacks on traditional ciphers can also be u«aJh\modem block ciphers, but today's 
hlock cipher. rc S1 sl most of the attacks discus*^ Chapter 3. For example, brute- 
lonx attack on the key is tuually mfeasjble beousffce keys normally are very large 
However, recently some new attacks on block cipheJsWe been devised that arc based 
on the structure of the modem block ciphers. These aWks use differential and linear 
cry ptan a] y sis techniques. • 

O 

Differential Cryptancdysv; Q 

Eh Biham and Adl Shamir introduced the idea of djffereuli^ryptaiialvsis This is 
a chostn-plamtva atiack; Eve can somehow access Alice's compJter, submitting cho^ 
sen plaintext and obtaining the corresponding ciphertexL Toe goal is to find Alice's 
cipher key. 

Algorithm Analysis Before Eve uses the chosen-plamtort attack, she needs to ana- 
lyze the encrypuon algorithm in order to collect some information about plaintext^ 
ciphcrtext relationships. Obviously. Eve does not know the cipher key However ' 
some ciphers have weaknesses in their structures that can allow Eve to find a relation- 
ship between the plaintext different and dphertexi differences without knowine 
the key. B 



CHAPTER 5 INTRODGgXtON TO MODERN SYMMETRIC KEY CI FHERS 
Example SJ3 • 

As^mc lhai Uw ci|3t£>> made only of one wetusivc-or operanrm. as «howr. in Figure S I 8. 
WUhoui knowing rbc*J>ic of (he key. Ev<; can easily find the relai: oil ^between ptainirat 

re mrfin PiS 



differences and tiphertK^AfTcrt nces if by plaintext difference *c mean P, © P : by riphef 
lexi different to mcwiVjfetr The follpwin£ thai C t © C, = P, © P 2 : 



c.-p. 9 k c,»$© k -+ c.fflc^r, © K « P* © K>P, © P* 

However Ihls exarnpW is \e*4jpmteti* t modem bksck ciphers an: run w simple 

^, 




We add one 5 -bo* (» Raamplc 5 ! 3. as shown in Figure 3 



Figure 5.19 Dw&nimjnr a^tmplr 5 M 




o 



K 1 3 hits) 



X 

C 







L_ 






' — 


ill 


1 ! 




] to 


LL 


0i| 









S-lXM tab be 



e (2 wis] 



A] though ihe inject of ihe fccy is still cancel when w C use differences between Lwo X s 
and twr> P * {X } © X^, = ? t © F 2 ). toe cu»tencc ol ihe Sbo* prevents Eve from finding a def- 
inite relationship between the plauitcat difference* and the ciphertext differences. However, 
she can create a pTt^flbilistic irlatioRsbip. Eve csn make Table 5 A *"hich shows, for each 
plaintcal difference, how many eiphertc*t differences the cipher may crr;ir.e. Note ihai 
the U-jSc is rniide from inrunnatjon about the S-boa iiipulfoutput table in Figure 5.19 because 



SECTION 5. I MODERN BLOCK CIPHERS 145 
Tah I c S A Dijfrreniwl inpuif&utput for the cipher in ExampU 5, 14 




GO 



I 



4 



Because ibc key Wetf J bit*, there can be eight casta fuj c.u:h 4slltrtm:« m itic input, 
The lablt &how» Ihit if ih^jijitii difference is {(XJO^, the output dtlTcrtnct iit always {Q0^ r On the 
other hand, the table shows >rt^nf (he tnpul difference is ( EOO^^ there we two cases or fuX)^ oui- 
pul difference. I wo mac* l-t iliU^oulpui difference, am] four Law nf (01), output difference 



The heuristic fttull of Example S l l^oc crtaie probahiLisiic lufuciiiQEjpn for I A t ^ shown ui 

in the table ttbO^Ji 

Inhiy will never occur. 



Table S.5. The cutties in the table FhOiMhc [mjhabi lilies of occurrence.* Thtrtt with *cn> pruhii* 



<5 



5*5 Different oil dj-Mntyrti^i iiiblt.fiM Rutmpfc S.I 5 




Eve now has a great deal of information io Stan ber attack, as we will sec later. The tahte 
$hows. thai the probabilities arc not distributed uniformly because- of the weakness in ihc structure 
of tilt S-boa, Table 55 h ^rnclirnes referred to as the differential distribution table or XOR 
profile, 

launching a Chosen -Hairitfcxt Attack After the analysis, which can be done once 
and kept far future uses as long a^ the structure of the cipher dges not change, Eve can 



CHAPTER 5 IM'RODUCnO^ TO MODERN S YMMETRJC-KEY CIPHERS 

% 

choose the pldfnjexts for attacks. The differentia] probability distribution table (Table 5.5) 
helps Eve choo^fHainicxLs that have the highest probability in ibe table. 

( ;ut v^ci>^ the key VaUic After launching some attacks with appropriate chosen 
plaintexts, Bve can fiM^ome plaintext-ciphertext pairs thai allow her to guess the value 
of ihe key. This step sVpAs from C and makes toward P. 

hxample S.16 v O 

i\m ft m Table V\ Bye kno^)hai iPft * P 2 - 0»1 . then C t ffi C 2 = tl with the probability of 
0,3O (50 percent). She trie* C, -Yffi) oj>d gctt P| =010 (cbosen-ciphertral attack). She also trie* 
C 7 - 1 I and yetft P 2 = OH ( wotf&^horaciptaTrai *naek). Now she tries to wdA backward, 
bruwd 4111 the dm pair. Pi and C h # 



\ "sing ihc ■tfvuiid pair. ?j and Cj, .^>* 

* V an ■iiiiiM n 

If X 2 - 000 K « X! © P 2 « in 1 V* tfXa-UO KeX^9P^I01 

The two tests confirm thai K - 011 or K - Id I Alirptteh live u jhH stixr what she e^am value 
of lhe key it, she knows dial the rtghtniust hi\ \\ I (iKcYumnKin bit between the two value 9), 
Maie attack*, with (he a&Mimpuon (hot the rightmost bit to ita key a U can reveal more bii* in 
ihe key, \) 

General Procedure Modern block cipher* have nK>rcV^p^^ than we discussed 
in thiK section. In addition, they are made from different ro@ls. Eve can u&c the follow- 
ing strategy: 

1. Because each round is the same, Eve can creaie a diif^f^tid distribution table 
(XQR profile) for each 5-box and combine them to CTeate^^istributiDn for each 
round, ^ 

2. Assuming thai each round is independent (a fair assumption). We>^an create a dis- 
tribnuon table for the whole apher by mu" n plying the oorrespoMing probabilities-. 

3. Eve now can make a list of plaintexts for attacks based on the distribution table in 
step 2. Note that the table in step 2 only helps i-ve choose a sma^lci number of 
ci ph ertcx L plaintext pairs, ^) 

4 P Eve chooses a ciphertext and Einds the corresponding plaintext. She mefpuialyzes 

the result to find some bits m the key, 
5. Eve repeats step 4 to find more bits in the key. 

G, After finding enough bits in the key. Eve can use a brute- force attack to find the 
whole key. 



Differentia] crypl»nHh^cH is based ehi a nrwuinirnrm difTerentiaJ distribution table 

of the S- boxes hi a block dp*wr. 



SECTION 5.1 MODERN BLOCK CIPHERS 147 



A more detailed LlirfcrgjttMmptaiiaJysK is gh en in Appcndi* N. 



[2near Cryptanalysis 

Un^pl^t^ was presenlcd by Milsum Matsui in 1993. The analysis uses 
/A^rfatterks (vciws the chosen-plaints attacks in differential crypuinalysis) The 
J u^h^ssion of this attHi is based on some probability concepts fhm arc beyond 
the scopc^ book. To s* the roa:n idea behind the attack, assume that the cipher is 

hit n ; a tLt 4 sbown ,n F,eun; 5 2o - ■*» ^ ^ ***** 

lib in the tnnp^md -ro-^.and^ represent the three bits in the input of Ac S-box, 

Iftc S-box ^ Imcar transformation in which each output is u linear function of 
input. « weduca^tearher m this chapter With this linear component, wc can create 
three linear ^uah^bctween plaintext and crphcrtext bits, as show,, below: 






Cl * f| © J ? 



Solving for three unknowns, we gci 



O 



This means thai three known-plaintext aiiacks can findthe^luesof Jt,, Jc, and k 
However, real block cphers are not as simple as this one; they hav, more components 
and the S -boxes are not linear. 

Linear Approbation In some modem block ciphers, it may happen thai some 
S-boxes arc not totalis :■„ nhnear; they can be approximated, probabilistically, by some 
linear functions In general, given a cipher w lt h plaintext and ciphertext of n-bils and a 
Key ol m bits, we are looking for some equations of the forni: 



Cm PTER 5 IKT^UUCnOH TO MODERN SYMMETRIC KEY CIPHERS 

< 77i H ! < _v < /i, and \ < z < n. The bits in the intercepted p!ainte*t ami 
eiphcrtcxt he used to find the key bits. To be effective, each equation a bun Id hold 
with probability 1/2 + e, where £ is called the An equation with larger e is more 
effective than with smaller 

id 



A rf^> detailed & 



Lr cryplarialysM is vcg in Appendix S. 



5.2 MODERN STREAM CIPHERS 

In Chalet \ we briclly diseased the difference between traditional stream ciphers 
and I radii ion block ciphers. SimjJur differences cxise between modem stream ciphers 
and modem block ciphers, In a^r^dern stream cipher, encryption and decryption 
Lire done r bits si a lime We bave^pluntext bit stream P = p n - P2P\, * ciphcrtcxt 
bit stream C m c B ..,cy h and a key Dit^eam K = k n .. k 2 k u in which p Jr q, and ^ are 
r*bii words Encryption is r 4 s E (* r fOpand decryption Li ft = D (Jfc |t e 4 ). us shown m 
Figure 5.41, \ 



/V * . J^lPj \ Encryption 




Stream ciphers are faster than block ciphers. The hardware implementation, of a 
stream cipher is also easier. When we need to encrypt binary stieanfs aad transmit them 
at a constant rale, a stream cipher is the better choice to use. StreapQ ciphers are also 
more immune to the corrupdun of bits during transmission, Q 

In a modern stream cipher^ c^di r-bil word in the plaintext stream Is enciphered 
using, un r-hit *-ord in lite key stream to create the cftrropnndinR r-bit 

word in the dphirrtexl stream. 



Looking a I Figure 5.21. one can suggest that the main issue in modem stream 
ciphers ia how lo generate the key stream K = k A ...k 2 k^ Modem stream ciphers are 
divided inlo Two broad categories: synchronous ami nonsynchronous. 



SECTION 5.2 MODERN STREAM CIPHERS 149 



Synchronous Stream Ciphers 

^ lna synchronous stream cipher, the key stream is independent of the plaintext or 
• aphenexi stream. The key stream is generated and ussd with no relationship between 
bits and the plaintext orcipberGcKi bits. 



^ 

Hie ximpl^Hid the most secure type of synchronous stream cipher is called the one- 
time pad, wlph was invented and patented by Gilbert Vernam. A one-time pad cipher 
uses a key stn^Auhai is randomly chosen for each enciphenncnt The encryption tmd 
decryption algoi^tfijns: each use a single exclnsive-or operation Uascd on propcrlicn of 
the exclusive^ Action discussed earlier, Llie encryption and decryption algorithms 
arc inverses of eadtf oj^cr It i* important to note tmu in this cipher the cxclusive-or 
operation is used oncQutat a time. In other worth, the operation is over I bit word and 
the field is GF(2). Noi^Ko thai llierc must be n secure channel so thai Alice can send 
the key stream sequence rfyftob (Figure 5.22) 

. 4 . 

Figure 5.22 £)jnr r*mr putf C 




I bil \ tut 

tzicrypcK*n 




I bit - k. 



tbil W I tail 
Decryption 



TTte one time pad is an ideal cipher. It is perT^Tlierc i$ no way thai an adversary 
can guess the key or the plaintext and ctphertcxVstatistics. There is no relationship 
between the plaintext and ciphertext^ either. Jn other words, the ciphertcxt is a true 
random stream of bits even if the plaintext contains sot^eipaUerns. Eve cannot break the 
cipher unless she tries all possible random key streams, would be 2" if the size of 

the plaintext is n bits. However, tiicrc is an issue here^Hjw can the sender and the 
receiver share a one-time pad key each time they want to TOminujiicatc? They need to 
somehow agree on the random key. So this perfect and ideal cipher is very difficult to 
achieve. 

■ 

Example 5,17 

What is ihe panem in the cipheiiexi of a one-time pad cipher In each of the following cases? 
a_ The plaintext is a Link of n Q'« 
b. The plaintext is mric of n I V 



■ 



CNA PTER 5 IWTROD ll^ZTQN TO MODERN SYMMETRIC-KEY CIPHERS 

c. The pEaimc/K is made of alternating Q's and Tiw 

d. The p!aime4fi«> 3 random ttring of hits 

Solution ^ 

0. Because 0 ffi A> =^}he c]pbrrtc\t stream is the iamc as the fccy stream. Ff the key stream 
is random, the cip*fertex< is also rnnfLnm. The patterns in the plaintext arc not preserved 
in Gheciphertext 

b. Because I ^ k s - 1, wl^J ^ is the complement of 1^. the aphcrie*! stream is the comple- 
ment of the key iticam ^J^c key stream ■& RLndran. me dphcrtext is also random. Again 
I be patten u in the plaintextaE not preserved in the cipbcrtexL 

c. In xh\% case, each hit in Jhe CmJ*rrte*( ilrrum u either the ^ri>e sl* the cotrcAponcling hit 
in the key t&cam or the comptririeijt of it. Therefore, the resutl is also ■ random string if 
the key jurenm i\ random. 

d In this, Lose, the cipherteit is defiJnl^y random because me excEiuivc-or, of two random 
bin feauEti in a random his. 

Peedbae k Shift RegLtler 

One compromise in the one tune pad is theC^ifjavk shift register (FSR), Ac F$R 
can be implemented in cither software or hardwire, but the huinlware implementation is 
easier to dLveusv A feedback shift register is ma^of a shift register and n feedback 
tuiirtiun, as shown in Figure 5.23. <\ 

. (S) 



¥ igure 5.23 Fetdhttdt shift fritter (FSR } 



4> 



I r iiiij Liuck 























. . . 











O 



l''eedboi:]L 




v6 



o 



Oulpgi {AJ 



The shaft register is a sequence of m cells, to b„^ h where each celll^iis a 
single biL The cells are initialized to an m-hli wotd, called the initial value or the 
seed. Whenever an output bit is needed (for example, in a click of due), every bit is 
shifted one cell to the right, which means thai each cell gives its value to the cell to 
its right and receives the value of the cell to it* left. The rightmost cell, * n , gives its 
value as output (k 0*e leftmost cell, receives its value from the feedback func- 
tion. We call the output of ihe feedback Junction b m . The feedback function deft ties 
bow the values of cells are combined to calculate b M . A feedback shift register can be 
linear or nonlinear. 



SECTION J.2 MQ&ERN STRE*\ M CIPHERS i 5 I 



r Feed ha c k S rutt Register In a linear r eed bat k sh I ft n - h ter (I ,FS R) , b m is q 
^jinear function nfb^ 6 1 b^ x , 

vjnipwever, we arc dealing with binary digits because the multiplication and addition 
an: ipAtK GF{2) field, so ihe value of c, is either I or 0, but c 0 should be I to get a feedback 
from (^mtpuL The add] t Ion operation is also the csdusivMr operaliorL In other words, 

= r - 1 bm ~ l ® " J ® *a *i © *i *i © fr 0 < c n * 0) 

Example 5 r ^) 

t "re-air 4i Ihkmi X^Jback shift rt^iiurr with 5 oelU in which % 
Solution 

If ^ 0. ^ no r^tV in Lakukuon of ^This menu* ihut 6; ii not connected tu the feedback 
luneiioti If t- t =r. ].h i i§k+»Ut<l L » L-dk-vUbon or hi this cumpk. « , and ^ arc l)\ wluch 
irmitt dm we have Ofiiy^fe cotuwrions Figure 5,24 *Jw* the design 

^ 

Figure 5,24 USR far 




Exampl*5.l9 O 

Create 4 liiwf Bering shift register with 4 etlQf whjchfl* = ^ Show the value or out- 

pul for li) [TztiMUoos (ihifiui) If the seed is ((XXH>*Sj* 



Solutlurs 

Figure 5.25 fchows the 



and use of the LFSK in encryption, 

C 



Figure 5.25 LFS&for Example 5 J 9 



a 



*' 



Key scream generator 
— : — 

9* 




A,: 



Output (^J 
■(T) j — * Ciphertcxt 



Encrypt™ 



CHA FTER 5 INTRODUCTION TO MODERN SYMMETRIC-KEY CIPHERS 

Table 5.6 shiN&ibp values of ihe key SLitim. For each Lraniition. first ihe value uf Ji 4 i$ calculated 

ikiid tJieji each b©s*shifttai one cell to ihe nfcht 

Table 5.6 ?WJ jva/uej tmd krv sequence for Example S.f9 



Slates 




h 


in 


1 


An 


Ti' 


Initial v 




0 


0 


M 


1 

■ 




| 

■ 




1 


0 


0 




| 


— 




- 0 


1 




0 


■ ■ 




■1 d 


i 0 


w 


I 

■ 




0 


4 


•i w 


0 


0 


t 

■ 


0 


MP 






L 


0 


0 


1 


IP 


1 

1 


— V- 


I 

■ 


1 

■ 


Q 

u 


0 


7 




■ Lu 


* 


I 


L 


o 




| 

■ 


0 





0 


1 


1 

■ 




I 


1 




T 
p 


u 


■ 


H r 


• I 


1 




i i 


i 

i 


V 


L 1 




1 




> L 


<> 


1 


12 


0 


1 


i < 




■ 


0 


13 


[> ■ 


0 


i 




1 


\ 

■ 


34 


.0 


0 


0 


i 




1 


15 


1 


Q 


0 




i 


1 


16 


■ u 


] 


0 


0 N 




1 


17 


0 


0 


1 


0 




0 


iS 


1 


0 


0 


I 




i 0 1 


1^ 


] 


1 


0 


0 






20 


1 


1 ' 


1 


a 







Note lhal the key stream is lOQOlOOllOlOill lOOGi.... This luuta Lske jyf&Jotii aequeaiCE at 
first glance, but if we go through more transition*, we see thai ifce sequence periodic II is a rep- 
etition of 15 bsis. as aliown he low: 



irKXSlOOlTOlOTS] lOWlWnOIEKlIl'.igOQIOOIlOlOin 1 0OQ10O11UO, 



LI VfSI 



The key stream generated from a LFSR is a pseudorandom sequence in>mkh the 
ihv sequence Is repealed after ,V bits. The stream has a pericxL but the period is not 4, 
tile sl£c d! the se^d. Based on [he design and the F-eed "he period u 2 n be up to 2" 1 1. 
The reason is ihat the m-bit seed can create up to 2^ different patterns, fmm all O's to 
all 1 % However, if [he seed is all O's the result is useless; the plaintext would be a con- 
tinuous stream of O's. so this 15 excluded. 



The muimiim period of an LFSR Is to 2" - 1- 



SECTION 5,2 MODERN STREAM CIPHERS 153 

In the previous example, the: period is I he maximum (Z 1 ^ - I = 15). To achieve, this 
maximum period (a better randomness}* we need first to think about the feedback func- 
ttan^rt a characteristic polynomial with coefficients in the GF(2) held. 



.^r^l h m -i + - +rj 6| +tf 0 * 0 -* ^«c M ._,J^ ' + " +c ( x l + e 0 j: 0 

Ik* .hVvVidikhi i^iii .ind subtraction arc Ihc same in this Geld, alt terms can be moved 
in tine Mdc.vMiich Creates a polynomial of decree m f referred to as the charm irrijtiic 
polynomial). 

An l.t ; SK has a n^miim pentxt ol J* -1 if it has an even number of cells and the 
charactcrtNtic polynomials a primitive polynomial, A primitive polynomial is an irre- 
ducible polynomial that dn^cs x* + L where * is the least integer in the form e = 2* - 1- 
and A £ 2. It is not easy to gejatnue a primitive j I v normal* A polynomial is chosen ran- 
domly and mm checked to htrjLil is primitive. However, there arc many already tested 
primitive polynomials to choice Trom (see Appendix &). 

KxempUSJtt . 

The characteristic polynomial for the LRgji in I Example \ 1 4 is {x 4 + t + I ), which a pnmita vc 
polynumial. Tabl* 4.4 (Chapter 4) ihouA^fetf it is an irreducible polynomial. This polynomial 
also divides {jP + I ) =■ (x 4 -f x +■ I ) (x 1 + I ). ^rhjch mean* e - 2 * - I = 7. 

Attacks on LFSRs The linear feedback ^^tt register has a very simple si rue hire > bin 
this simplicity makes the cipher vTjlneraolc^yttacfcs. Two common attack hi on LKSR 
are listed below: .A 

1 . If the structure ot ihc LF5R is known* die rafter intercepting and analyzing one 
n-bit ciphenext Eve can predict all future ctpntnexts. 

2. If the. $.tructure of the I _FSR is not known. Evcxcan use a kn own-plaintext attack of 
2n bits io break the cipher. • 

Nonlinear Feedback Shift Register The linear fee^b^ck shift register is vulnera- 
ble to attacks mainly because of its linearity* A better ikream. cipher can be achieved 
using a nonlinear f ted back shift register (NLFSR)^^n NLFSR has the same 
structure as an LF^R except that the b m is tiie nonlinear function of h 0 , h^. h^. 
For example, in a 4-bit NLFSR, the relation can he as shown below where AND 
means bit- wise ami operation, OR means bit-wise or operation, the hnr means Ihc 
complement: 



ft< — <^*3 AND OR AND :] 



However* Nl_-FSRs are not common because there is no mathematical foundation 
for how lo make an NLVSR with live maximum period 



Combination A stream cipher can use a combination of linear and nonlinear struc- 
tures. Some LFSR^^n be made whh the maximum period and then combined through 
a Hon linear functiony^ 




Non synchronous Soprani Ciphers 

In a nonaynchronous strt^ cipher, each key in fbe key stream depends on previous 
plaintext or ciphmeit ^ 



— 



In 11 iuhvi> FirlirriTHMlN Slmtm dpf^^dw kef ckpmfa on raiher llif pljiintrxl nr ciphirrirXL 



Pi 



"f\vo mflfapfll thai an: used lo cr^y$ different modes of operation for block ctphc 
(oiiifMitfrrdhfick made nnd counter rmyd^ctu^lly create stream Ciphers (see Chapter 8). 



53 RECOM M F.N OKI) RISING 

Trie following books and websites provide m^rc details About subject* discussed in 
this chapter. The items enclosed in bracked tcfcl^ the reference list at the end of the 
book. - 

^> 

Books 

[Sti061 and [PHSG3] give a complete discussion of P^xe;i and S -boxes. Stream 
ciphers are elaborated in [Sch99J and fSal03], [Stitto]. jPHS&J]. and [Vau06] present 



thorough and interesting discussions of differentia] and ]sne^cjjptaiialysLi. 

WebSite q 

'Hie following websites give more information about topics discuss^^n this chapter. / 



http://tD.wi k*p&fia^r$m^^ 




5.4 KEY 1ERMS 



bit-oriented cipher coi 

characteristic polynomial confusion 

character-oriented cipher decoding 

ci rcul ar sh if t ope ran on different! al cryptanaJysis 

combine operation differentia] distribution table 



SECTION 5 J SUMMARY IS? 



diffusion 

eWansion F-box 
f^&tlkack function 
fe^Wk shift register (P$R) 
FciMdtirahcr 
key gcmrpHiu 
key ^hfimy^ 
linear cryp^tmiUwis 
linear feedbaL^^ifo register (LFSR) 
linear S-box >r 
mixer ^ 
modem block dpheV v# 





non-Fciste] cipher ^ % 

nonlinear feedback shift f^g^x (NLFSR) 

« 



nonlinear S-box 

no asynchronous stream cipher 

one-lime pad 

P-box 

primitive polynomial 
product cipher 
round 

S-box 

Seed 

shift register 
spin operation 
P-box 
swap operation 
swapper 

synchronous stream cipher 
XOR prolile 



5.5 SUMMARY 

—I The tradition^ symmetric -key 



j 



□ 





j 



□ 



J 



ate (Jwactcr-oricnicd ciphers. Wiih the advent 
»f the compuirr, we nc&l biuoriefited cipher* , 

A symmctnc-kiey modem block ci erverypts an. nvbit block of pi ll s n i l l a l n-r decrypt? 
an n-bii block of arjhcrtexL The erx5$ftfoci or decryptioci algorithm uses a Jfc-bit key, 

act a$ a substi tu tion cipher or a transpo- 



A modem block cipher can be desi 

si cion cipher. However, to be resist tt^h^stive'Scaich anact a modern block 
cipher Deeds \o be designed as a siibstituu^^tpheL 

Modem block ciphers normally are keyed rf&stimriot) ciphers in which the key 
allows only practical mapping from the possible inputs to possible outputs. 

A modem block cipher is made of a cc^biiiaopri of F-boxes., substitution units, 
S -boxes, and some other units. ^ 

A F-box (permutatioQ. box) parallels iht traditional 
ters. There are three types of F-boxes: straight P 
compression P* boxes, 

An S-box (substitution box) can be thought of as a miniature of a substitution 




sposition cipher for charae- 
. expansion F-boxes + and 



cipher However, there can be a different number of inputs and outputs in an S-box. 
An imponant component in most block ciphers \& die exclusive-or operation, 
which can be thought of as an addition or subtraction operation in die GF(2 rt ) field. 
An operation found in some modern block ciphers is die circular shift operation, in 
which shifting can be to the left or to the right. The swap operation is a special case 
of the circular shift operation where it = n/2. Two other operations found in some 
block ciphers are split and combine. 



CHAPTER 5 tVTROD uZjlQN TO MODERN SY MMETRIC KLY CIPHERS 

U Shannon introduced the concept of a product cipher A product cipher is a complex 
cipher combtaiflg 5-boxes. P-N ^^. and other components to achieve diffusion and 
confusion. DimWh hides the relaiion^Hp between the plaintext and the ciphcrtexu 
confusion hides life rcbltonship between the cipher key and The ciph#rtext. 

□ Modern block dpnej^tre -ill product ciphers* but ibey are divided into two classes: 
Feistcl ciphers and n<yr Fcisiel ciphers. Fcistel ciphers use both invcrtibli; and norun- 
verlibie component ■Fcistul ciphers use only invertihle comrKmriuv 

□ Some new attack* +>u t^)lv ciphers arc based on the struclure of modern block 
ciphers. These attacks use ^fl^ereitfial and linear cryptanaly^is techniques, 

I J In a modern stream cipher. v£>cn r-bil word in the plaintext stream is enciphered 
ns inR an r-bil word in I he Icq^tream to create ihc corresponding r-bil word in 
Ihc eipheriexl sircam. Modern stream ciphers can be divided niio two broad 
categories; synchronous strea n 'V) miprs And nonsynchronous stream ciphers. Irs .1 
synchronous sueam cipher* the ke^suxam is intlepcntkm oi the [lUuntra! m cipber- 
lext stream. In a nonsynchronous street cipher, the key stream depends on the plain- 
text or eiphertexl stream ^ 

□ The simplest and most secure lypc of ^yjrftm.motis stream cipher is called the one- 
time pad. A one- lime pad cipher uses a k^^eam thai is randomly chosen for each 
enciphennefU, The encryption and decryption aJgorithm are each an exclusive -or 
operation, The one-time pad cipher is not jQwzttcil because the key needs to be 
chantii'il to i r-LCh communication. One compn>unse Xi* [he onir-iime-pad is the Iced- 
buck shift register iT'SR}. which can nc imptarrenj^Eiin hart! ware or soft ware 

- O 

5-6 PRACTICE SET . vP* 

Review Questions 

L Distinguish between a modern and a traditional symmetric-kejQpher. 

2. Explain why modern block ciphers are designed as ^jbstitutio^iphers instead of 
transposition ciphers. 

3 r Explain why both substitution and transposition ciphers can bethought of as 
permutations. ^ 

4. List some components of a modern block cipher. ^ 

5. Define a P-box and list its three variations. Which variation is ifivertibl 

6. Define an S-box and mention the necessary condition for an S-box to be mvcrtible 
7- Define a product cipher and list the two classes of product ciphers. 

8. Distinguish between diffusion and contusion. 

9- Distinguish between a Fcistel and a non-FEisiel block cipher. 

10. Distinguish between differential and linear cryptanalysis. Which one is a chosen 
plaintext attack? Which one is a known -plaintext attack? 

1 1. Distinguish between a synchronous and a nonsynchronous stream cipher. 

12. Define a feedback shift register and list the two variations used in stream ciphers. 



A Exercises 



SECTION 5.6 PkACfKh \W IB1 



# t ?. A transposition block has 10 inputs and 10 outputs. What is the order of the pennu- 
^ r\ tatiou group? What is the key size? 

1 subsl] tution block has 10 inputs and 1 0 outputs. What is the order of the pcrmu- 
^^jon group? What is the key size? 

the result of 3-bil circular left shift on word { 1001 101 1^ 
the resull of 3-bit circular right shift on the word resulting from Part a. 
the result of Part h with the - Tipna] word in Part a, 



lf>. 




17. 



a. Swapt/X^rtCIIXJllOll)!. 

b. Swap the vftird resulting from Part a, 

c. Compare uWrcmill of Part a and Pan b to show that swapping is a sell invertihle 
operation. \ 

T;il ions; 







it twine 













a. (oiooiionefoucwnon 
h (oiooi ion ©doiiiSeiO) 

d (ojmitonsoniii^ 



IS 



a. Decode the word 010 using^t^* H deci 
b lincode i he word 00100000 us^f^a 8 k 3 encoder, 
11). A ine&sage has 2000 characters, l(l) is supposed to be encrypted using it block 

cipher of 64 bits, find the size of tbe^pfding and the number of blocks. 
2ft. Show the permutation s^ble for rhe sna^V P-bo* in Figure 5.4 

2 1 . Show the permutation table for the com^^ion P-box in Figure M. 

22. Show the permutation table tor the c*pajisi^P-box in Figure 5.4, 

23. Show the P*box defined by the following tabl^\ 



12 3 4 5 6 



24. Determine whether the F-box with the following 
P-box, a compression P-box, Or an expansion P-box. 




uiauoia labie is a straight 



1 1 2 3 4 4 



?,5 Dc sen nine whether the P-box wish the following permutation table is a straight 
P-box, a compression P-box, or an expansion P-box. 



I 3 5 6 7 



1 2 3 4 5 6 










■ 











■'j 



mum period? 



31. 

32. 




CHAPTER 5 INIROI^TION TO MODERN SYMMET RJC-KEY CIPHERS 

26. DctcrTTiintr^cther the I 1 - box with the following permutation tabic is a straight 
F'-buA, a compression P-bo*, or an expansion P-box. 

27, The input/output iHjjson in a 2 x 2 S-bcu is shown by the following table Show 
the table for the invSseS-box. 

Input: rifhl bit 
0 L 

U 

Show .in Ll'SR with the ehanictmvlic polynomial jt 5 + x 2 + L What ijs the period? 
What is (ho c hajaeicrisiic polyncMiaj^of the following LFSR? What is [be rnaxi 

Sltow the 20-bit key stream generated [mm il w. I in figure 5.25 if the seed is 1 1 10. 
The maximum period length of an LFSR is 32. How many bits does the shift regis- 
ter have? 

A d a 2 S-box cxclusivc-ors the txki-nutubcml biiVio^et the left bit the output 
iind exchisive-ors Uic even numbered hits to get thcCnghi bit of the uutput, If the 
input is I 1 00 10, what is the output? If the inpul is I01UM, what is the output? 
The leftmost bit of it 4 x 3 S-box rotates the other three >^{Jr> If the leftmost bit is 0, 
die three oilier bits are rotated to the right one bit. If the k^oM bit is 1, the three 
other hies are minted lo the left one biL If the input is imiffy&L is the output? If 
the input is 0 1 1 0, what is the output? q 

Write a routine in pseudocode that splits an n-bil word to two wor<^^ac±i of nfl bits. 

Write a routine in pseudocode that combines two Ji/2-bit words imu an n-bit word. 

Write a routine in pseudocode mat swaps the left and nght halves of ajHJ-bit word. 

Write a routine in pseudocode that circular- shifts an Ji-bit word k bit*h«he left or 
ri^ht base.d on the first parameter passed to the routine. ^-^> 

Write a routine in pseudocode for a P-hox in which the permutation is defied by a 
tablcL 

Write a routine in pseudocode for an S-box in which the input/output ts defined by 
ei table. 

Wnuz a routine in pseudocode that simulates each round of a uou-Feistel cipher 
described in Figure 5-13- 

Wiite a routine in pseudocode thai simulates each round of the FcisteL cipher 
described in Figure 5.17. 

Write a routine in pseudocode lhai simulates an n-bit LFSR. 



34. 
3S 
36. 
37. 

% 

39. 

40. 

si, 

42. 




a Encryption Standard (DES) 

Objective**) 

In this chaptcrA#^iisciiss tht- Data Encryption Standard (DES), the mod- 
em symmetric k£\ hl,pek cipher. The following an- our main objectives 
for this chapter: 

□ To review a short* history of DES 

□ To define the basic*5jji^ic(ure of DES 

LI To describe the detaflsajf building elements of DES 

□ To describe me round keys generation process 

□ To analyze DES *Q 

The emphasis is on how DES -ysfcs a Eeistel cipher to achieve confusion 
and diffusion of bits from the pl^iexl to the ciphcrtexl 

& 

— 

6.1 INTRODUCTION v£) 

The Data Encryption Standard (DES) is a symmetric^cy bEqck cipher published by 
tht National Institute of Standards and Twzhndtjo^y (NIST). 



History Q 

In 1973 + NIST published a request For proposals; for a i@nnal symmetric* key crypto- 
system. A proposal from 1BM + a modification of a $^cct called Lucifer, was 
accepted as DES. DES was published in the Federal K^giMe.r in March 1975 as a 
draft of die Federal Information PnK:e$sing Standard (TIPS). 

After the publication, the draft was criticized severely for two reasons. First, erUics 
questioned the small key length (only 56 bits), which could make the cipher vulnerable to 
brute-IOTce attack. Second, critics were concerned about some hidden design behind 
the internal structure of DES. They were suspicious that *ome pari of the structure (ihe 



isy 



CHAPTERS DATA ^CRYPnON STANDARD 

S-boxes) may ngx some hidden trapdoor that would allow the National .Security Agency 
(NSA) 10 decrypt [hc messes without ihc need for the key. Later FBM designers men- 
tioned tha! ihe iiiilhiCJ x?n*c'Lirc: was designed so prevent differentia] cryptanalysis, 

DES was finatf^ublished as F1PS 46 in the Fedtml Register in January 1977. 
NtST, however dcfirK^DES as the *Landard for use in unclassified applications. DES 
has been ihc most widejVij^d symmetric-kcy block cipher since 115 publication. N1ST 
later issued a new stan^d (FIPS 46-3) that recommends the use of triple DES 
(repeated DES cipher threo^nes) for future applications. As we will scs in Chapter 7, 
A LiS, ihc recent standard , is ^poMsd to replace DES in the long tun. 



Overview 



•0 



DES is a block cipher, as shown ii^Fkgure 6. 1 



I i^ure 6vl Fntrvptirm and dtervpium n-^tfftjMV 




64-bu ptaltucAE 

1 



J6-bn key 



M hi I up£fc£Jl£Jl.L 



T 



( )ri4-h:? k:"hirrte.O 

-V- 



o 

AL die encryption site T DES Like* a 64-bit plaintext and (r^i-e^ M-tui ciphertcxt; 
at die decryption Rite t DES Ukes a 6^bil ciphcrtext and CTeaT^a^64 -bit block of piain- 
Tcxl. The same 56-bit cipher key is used for both encryption. anuj^rypQon. 

. O 



6.2 DES STRUCTURE 



Let us concentrate on encryption; laser we will discuss decryption. T1(Je^ncryption 
process is tnadc uf two permutations (P-boses), which we call initial and niplyenriuLa- 
Lions, and sixteen Feistel rounds. Each round uses a different 4K-bit round ifSeji gener- 
ated I'rom the cipher key according to a predefined algorithm described tafef in the 
chapter Figure 6,2 shows the elements of DES cipher at the encryption site. 

Initial anrl Final Permutations 

Figure 6.3 shows the initial and final permutations (P-bo*es). Each of these permuta- 
tions takes a 64 bit input and permutes them according to a predefined rule. Wc have 
shown only a few input ports and the corresponding output ports. These permutations 
arc keyless slraighl pcrmuiaiionH that axe the in>cne of each other. For example, in the 
i nit iid permuiaiion. ihe 58th bit in the input becomes ihc hit in the output. Similarly, 



% 

^^Fifjure 6.2 General structure ofDES 



SECTION 6 2 D£S STRUCTURE 1 61 



-4— 



DKS 



Una ad 1 



J- 







J* 43-Wt 


Q 

- 




c 








& 


■ 

■ 


1 


| K» 


1 
.-c 



hut 



^ti-bil cipher key 



■<S> 



Figure 6 J and fmal prrmuaiii'^yeps m PES 



: « 25 \ < 

111 - ■ ■ , mm m ^ 














"t^ — 1 

J * ■ * 

i 2 ; 


! 25 4 


0 58 64 



Id tint 

Pfennuiaiiafi 




Finn] 

Perm atari on 



in the final permutation, the first bit In Ibe input becomes the 58th bit in the output. In 
other words, if the rounds between these two pcrTnuLations uu not exist* the 5Sth biL 
entering the initial permutation is the same as the 58th bit leaving the final permutation, 
The permutation rules for these P~boxe$ arc shown in Table 6 J. Each side of the 
table can be thought of as a 64-element array, Note thai, as with <u\y permutation table 



CHAPTER 6 DATA 




R YPTIQN STASDARl 1 / >k S • 



wc have discua^tftt so far. the value of each efemeni defines the input port number, and 
the rirtieMindeajFof die element defines the output port number 

F i\ h I ifn tial and fowl pt rmutmioH tublfs 



52 44*36^ 



58 50 AYJf* 2d IS 10 02 
W 52 44 V 3rO&. 20 12 W 
$Z 54 46 22 14 

64 ;S6 -i« 4fiQz 24 U) OS 
57 41 41 33 2<17 09 01 



Final PErmuiatian 



40 08 48 16 56 24 64 32 
30 Or? 47 15 55 23 63 31 
38 06 46 14 54 22 62 30 
37 05 45 13 53 21 61 29 
16 04 44 12 52 20 m 2fl 
35 03 43 11 51 19 59 2"? 
34 02 42 10 50 18 58 26 
33 01 41 m 49 17 57 25 



55 St 43 35 27 J^1! 03 
61 55 45 37 29 21 A3 05 
63 55 47 39 31 2LW 07 

^- 

These two permutations have no cartography significance in DBS- Both permuta- 
tions are keyless and predtfeflnined. Th^ifcason they are included in DES ^ not clear 
and has rwii been revealed by ihe DES dcsijvdfc. The guess is dun I >EK was designed to 
be implemented in hardware (on chips) ana dsat these twn complex pcniniimirms may 
m wiiit i4 software simulation of die mechinUW^ 

lixtiinpir 6. J 1 

Find the output nHhr mi rial pc emulation boi when the iwpui given :n hexadecimal iw; 

0*0002 UUOtf 0000 OQOM v 
Solution f> 

The input ha.H only two Is (bit 1 5 ukd hit 64); die output mual alsaraavc cinly two Is (the nature ipff 
straight ne-rnmUiiLm). LMng Table 6.1. can And the output ra]£g*s6 to these two bum. Bii L_S ul 
the input becomes bil 63 in ihc output. Bit 64 tn the input become^JJi 25 in the output. So the 
output hax only two U. bit 25 and bil 63- The reaufi in hexadecimal 



0x0000008000000002 



o 



Example 6.2 

Prove that tnc initial and final pennuiaiiotis are the invent of each other by finite the output of 
1 he ti n*ii permutation if the snpu t is q 

CteOOGOWSO QflW D002 



I 



Solution 

Only bit 25 and bn 64 are I s: the other bits are Os. Tn the final permutation, bit 25 becomes bis 64 
and bit f>3 becomes bit 3 5. The re.su J l ls 



1 



GtaDOOIOOOOOOOQOOOl 



I he initial and finhl |>crmu tattoos are straight P-boies tbul ire inverts of each other. 

Thry rum- n-11 frypio^raphy ^mt^once in DES* 



SECTION 6.2 DES SI R {JC77 /RE 163 

\ 

founds 

UI£S uses 1 6 rounds. Each round of DiLS is a Fcistel cipher, as shown in Figure 6 4 



Fl&iGphA A round in DES fenrrypltim sil£ ]• 




The round take^. f r y and R ( _ , ErtHnmcviotiA round {or The initial [w-inintatinn box) 
and creates L, and % which go lo the ^ round (or final permutation ho*.). As we dis- 
missed in Chapter 5, wc can assume that ^£ round has two cipher elements (mixer and 
swapper) Each of these elements b invertibie. The swapper is obviously invertible. It 
swaps the left half of the text with the righnfilf The mixer is invertible because of die 
XOR operation. All nonitivertible ctemenls afcb^ected inside the function /(R t . ,. Kj). 

DES Function 

The hean of DES is the DfcS function. The DES Qcik.ii] applies a 48-bit key to the 
rightmost 32 bits (R t _ } > io produce a 32- bit output. Th^oetioii is made up of four sec- 
tions: an expansion P^box, a wmlcner (that adds key), a Ejpup of S-boxes. and a straight 
P-box as shown in Figure 6.5. ^ 

Expansion F~b«x Since R E _j is a 32-bit input and K 3 is a@-bit key, wc firct need to 
expand Rj_, to 4S bits. R M i* divided tnio S -4-bil sections, Vgth 4 -bit section is then 
expanded to 6 bits. This expansion permutation follow a predelermined rule. For each 
section, input bits L 2. 3. and 4 are copied to output bits 2. 3. 4. and 5 H respectively. Out 
put bit 1 comes frorrLbit 4 of the previous section; output bit 6 comes from bit 1 of the 
next section. If sections I and 8 can be considered adjacent sections, the same rule applies 
to bits 1 and 32, Figure 6.6 shows the input and output in the £ spans ion permutation. 

Although the relationship between the input and output can be defined mathemati- 
cally. DES uses Table 6.2 to define this P-bo*. Note that the number of output ports is 
<US, but the value range is only I to 32, Some of the inputs go to more than one output. 
For example, the value of input bit 5 becomes the value of output bits 6 and K. 



CffA PTEtt 6 DA TA ffl&RYFTIQN STANDARD (DBS) 




Figure 6-5 DESfitrwtwn 




32 
CM 
08} 

m 

Jt i ," it - I 

24 



01 


02 


03 


1.15 


06 


07 


09 


10 


11 


13 


:-i 


i : 


17 


13 


19 


21 




23 


2S 




27 


19 


31 


31 



03 

12 

16 
v. 

24 
23 
32 



O 05 

a* 

♦7 

t* o 



WhtUder fXOR} After the expansion permutation, DES uses tbe XOR operation on 
the expanded right section and the round key. Noi£ that both the right section and the; 
key an; 4S-bits in length. Also note that the nsund key is used only in this operation. 

S-lloxos The S-boXES do the real mixing (coafiision). DES uses 8 5-hoxcs* each with 
a 6-bit input and y 3-bit output. See Figure 6.7- 



% 



SECTION 6.2 DES STRUCTURE 16? 



igure S-boxci 




The JK-hit Uj^fM>m the second operation is divided into eight 6-biL chunk:;, unci 
coc!i i hunk is fed iffKLi box I he rcsuktrf cjtch box is a 4 hit chunk: when these tire com 
blued fbe result is a ^Jjjucxl "Hie substitution m each box Mhiw* a prc-drlcnjinu d mk» 
based on a 4-ruw by Iti^luniri table Ibe aimhinaELMii ol bi' ■ ' .uul (tifl'ihr inpui ^i-Iiiu-n 
one of four tows; the culmination of hur.v 2 ihmu^h S dehnes one of the sixteen columns 
as shown in Figure 6.& Tbk&ill become clear in the examples. 



2 bin hi 4 hit tut ti 




lu< J bit 2 bdi I bit 



Because each S-box has its own tabic, we need eigrktables T as shown in Tables 6.3 
to 6.10, to define the output of Lhese boxes. The valuer oQU inputs Crow number and 
column number) and the values of the ouiputs arc given #$^cimril numbers to save 
space. These need to be changed to binary. 

Table 63 51^1 





0 


t 


7 


S \ 4 

i 


1 5 




7 


5 


9 


yo 


H 


12 


13 


14 




G 


14 


04 


13 


01 




15 


:t 


OS 


03 


ri 


W 


12 


05 


09 


00 i 


ffl 


! 


00 


15 


07 


04 


H 


02 




in 


D3 




12 


1 1 




05 


03 


OH 




04 


03 


14 


08 


n 


06 


oa 


; l 


15 


12 


rtf 


07 


03 


10 


US 


no 


J 


15 


12 


OK 


02 


04 


09 




07 


U5 


1 L 


03 


14 


10 


(JO 


nr. 


13 



CHA ITER 6 DA TA Etfa&YPTlQH STA NDARD (UES) 
Table fi.4 S-box^x 





0 


y 


!• 




4 




6 


7 




9} 


to 


11 


/2 




IN 


13^ 


0 


15 


01 


OS ' 




06 




03 




05) 


07 




13 


12 


OQ 


03 


in 


} 


01 


33 


0* 


IS 


oz 


n>; 


u 


12 


00 




1 CI 


00 


09 


M 


55 


2 


00 


14 


01 






CM 


13 


ct 


05 


OS 


la 


06 


09 


03 


m 


15 


3 


13 


06 


m 


01 




15 


04 


02 


11 


06 


07 


12 


1 00 


05 


u 





Tii bit! 0.5 SboxS 



Tjibk-fi.7 Maut 5 



'foible 6.H X 6 





0 


/ 


3 
■ 


j 


4 






? \ 


,N 


i 9 




// 


i? 


fj 


N 


13 


n 


m 


00 




14 


Ofi 






05 


01 


13 






1 1 


04 


02 


m 


i 1 


i * 




00 


0? 


03 


04 




10 


02 


Dp 


0* 


34 


11 


1 1 


LI 


01 






06 




OT 


OS 








11 






12 


05 


10 


14 


07 


i 


01 


to 


n 


00 




09 




ru 




u 


0} 


M 


03 


02 


U 





0 




? 1 




4 ' 


J" 


6 


i< 




p 1 




n 




; 




; 'J 1 




07 


13 


14 


03 


00 


ft 


in 


LO 




02 


1% 




ll 


12 


ivt 


15 


f 


13 


OS 


M 


05 


06 


IS 


00 


03 






■' 


i2 


01 


lOj 


14 


ijij 


2' 


10 


,06 


09 


00 


12 


11 


07 


! 13 


15 


00 


03 


H 


i °* 


02 


08 




3 


03 


1* 


UJ 


D6 


10 


01 


Si 




0? 






11 


S2 


07 


02 


14 





0 


I 


2 


J 


4 


j 


0 


7 


flj 


9 






n 


/J 


14 




ft 


0"2 


12 


04 


01 


07 


10 


ii 


06 


Oft 


W 


or- 




n 


00 


14 


w 


/ 


14 


11 


02 


12 


EM 


07 




01 


05 


00 


' 15 \ 




03 


09 


o& 


06 


2 


04 


02 


01 


1 11 


10 


13 


07 


08 


15 


09 


12 




A* 


03 


00 


L4 


J 


11 




12 


07 


oi~ 




02 


13 


06 


15 


00 


o£ 




04 




03 





0 


J 


2 


_f 






6 


7 








;/ 


12 




14 


15 




12 


01 


10 


15 


09 




06 


OS 


!>j 




03 


04 


t4 






11 




10 


15 


04 


02 


07 


12 




05 


06 


01 


13 


14 


cm 


IS ( 




OS 




09 


14 


15 


05 


02 


1 08 


12 


03 


07 


00 


04 


10 


Ot 


13 


15. 


06 


J 


04 


03 


02 


12 


uy 




13 


10 


II 


I 4 


01 1 


Ql 


10 


00 


of 


13 




S-hnx 7 

■ m 




0 


s 










- 6 


| 7 




9. 


iiu 


li 


, 12- 


^ 








1 * 


tl 


j 


■1 


15 


00 


OS 


13 


03 


12 




07 


05 


10 


06 


01 


/ 


13 


00 


11 


07 




09 


i: 


10 


N 


03 


05 


12 


02: 


15 


08 


06 


2 


'»! 








12 


03 


177 


14 


LO 


15 


: 06 


OS 


I 00 


05 


09 


02 


.? 


06 


r. 


13 


0:-. 


01 


04 


10 


07 


0^ 


OS 


00 


15 


14 


02 


03 


12 



\ 



SECTION 6. 2 DES STR UCTURE 1 67 





0 


/ 


2 


J 


4 


5 




7 


5 


9 


20 


11 


IS 




14 


/5 , 




i o 


02 


08 




CJft 


IS 


u 


01 


10 




03 


14 


PS 


oo 


12 


07 


■ v 


^>t 


15 


13 




10 


03 


07 


01 


12 




06 


It 


10 




09 




2 


(!*£) 


i] 


04 


01 


m , 


12 


14 


01 


00 


m 


10 


to 


1 LS 


03 


OS 


OB 






)03 


Id 


07 


(14 


10 


8 


n 


1 15 


12 


09 




| 03 


OS 


Q6 


]i 



Example 



'The inpui to S-!^l n I. Wh.H ik the Milpuf? 

Si »Ui | inn 

EC wc wnic the Am ^H&thc w*th hm together wc net 1 1 in binary, which is 1 in dccimnL The. 
remaining bit* arc Of OT^iiurv. which is 1 in ijctTiral Wc toolt fonhc value in row 3. column I. 
in Tahte 6,3 box I) Wjrault i» t2 m dccjiyui], whii.li m Mnjuy i* 1 100. Si> Uk input L4MK>I 1 
yields Ihc uutpul 1 I CKi q\ 

Example &4 V^v- 

The input in S boi B ^ IXXXv^^hni i* ihc output? 

Sol u Linn y\ 

If wc write the litM .and 0k si*tb bhuftiwfiher, we R et 00 tn binary, whiiii tip (> in dc^tmul The 
renruuning bus are 00O0 m binary. whiNnl 0 in decimal. Wc look for the value in row 0 t column 0 H 
in Table 6. 1 IMS-box ft) The xcniH ii I3«n <jmmaL which it 1 10 1 in binary, Su the input IXXMXXl 
y idd* the output 1 101 . 

Straight PennuLition The last npenuJ^fin ihc DRS function is a straight pern minion 
with a 32-bit input and a 32-bit output, Thi^puiAiutpui relationship for tliis operation is 
shown in Table tv I I and iullows the same g0£rai rule as previous permutation tables. 
For example, the seventh bit of the input bex^^he second bit of the output. 

Table 6. H Straighi permuiation table 




Cipher and Reverse Cipher 



Using mixers and swappers, wn can create the cipher and reverse cipher, each having 
16 rounds. The cipher is used at the encryption site; the reverse cipher is used at the 
decryption site. The whole idea is tu make the cipher and rhe reverse cipher algorithms 
similar. 

First Approach 

To achieve this goal, one approach is to make foe last mund (round 16) different from 
Ihc others; it has only a mixer and no swapper. This h done in Figure &*), 



( HA riEft 6 DA Tttfk&lR YFT70P STANDARD (DES) 




V: <i< i it it. L ? uES cipher and cipher for the first approach 




SECTION 6 .2 DE5 STRUCTURE 169 



£ Although the rounds arc not aligned, the elements (mixer or swapper) are 
^aljgned Wc proved in Chapter 5 that a mixer h a self- inverse; $c is a swapper. 
•Hie linal and initial permutations are also inverse* of eat h other The left section of 
tr^Wcxi at the encryption she, us ensphered as L t6 at the encryption site; L, fi 
at fl^fcery prion is deciphered 15 ill the decryption site. The situation Is the same 
with ft£)and R 16 , 

A important point wc need to rernerabej about the ciphers is thai the round 
keys (K, PrKj*) should be applied in [he reverse order At the encryption site, round 1 
-rHJ^uiKt 16 uses K 16 ; at the decryption site, round 1 uses K J#1 and round 16 



uses K| a 
use*. Ki 



2, 



ftf^hr first approach, thtfx ts no swapper in the hurt round 

— 



Algorithm 6 1 gives tHte pspdooodc for the cipher and fom curntfpouUinj: khhuics in 
the first approach The cmc^lm the rest of the routines arc left as exercises. 

Algorithm 6 J PiriufoeodefiptHiS aphrr 
Cipher (pt&LnBKpckl64]. Ruuiiiii^&l { 6. 4ft], ti ph*=f H Ilk L) f A \ y 



■ 



|ieniiul« <64, 64. plainEkwk. inB^ttk, iniiialPtrmutiiSumTubIt) 
splH (64. 32, in Block. kfiUlock, ng^tfjtoefcj 

For (round == I 10 16) 

mixer (IcftBlocL hghrBUxk, RouiOcv^ round] > 
if (round 1- 1 6) swapper ( IcftBlotk. iq^mTl 1 nc k 1 

I \P 

LiMiihirvt ( 32. 64. IcfiBlwk, nghcBiOL-L. nuiBtfS© 

permute (64, 64, naBiock, eipher Block, FtnalMtThtiartonTabte) 



1 <r 





swapper (Icf[tiiodc{32]. rigtfiBkKk[32}} 
copy (32,kfiBtacfcT) 



copy (32, ri 




. lrfl 



copy (32, T. fifiblBlock) 

) 



■ 



CHA PTER 6 DA 771 fUeS YPTFQN STANDARD (DES t 



Algorithm G 




endocode for DES cipher (ccminuxd) 



n 



Iff 




|hi iTTTlljl.il 

I 



rvw <- 2 x iuH|ock[i * 6 + I] + tiffll^k [i x 6 + 6) 



col <-8k kfiBbck[i x 6 + 2] ♦ : ■ Wilix*|i > 6 + 3J + 
veil iic -Subs!ni*thmTM*i [iJUow 



uitllicickUix 4 + 1 J v*Kn*/ 
ou(H]uckiUx4 + 2J 4- value/ 4; 
ouihlock ( ( i x 4 + 3| i- value / 2 k 
onlBlockHi x 4 + 4] *~ valoe 



^— voJott mod 8 
value *- vatsac mod 2 



) 



— vof 

x5 



-a 



Alternative Approach 

In the first approach, round 16 is different from other rounds , tnwois no swapper in this 
round. l~his is needed to make the last iiuxec in the cipher ajYuvlHe first mixer Lri the 
reverse cipher aligned. Wc can make ail 16 rounds the same by in^hj^ing one swapper 
lo ihe 1 6th round and add an extra swapper alter dial (two swappers i^&el [he effect of 
each other). We leave the design for this approach as an exercise. 



Key Generation 

The njund-key generator creates sixteen 4S-bk keys otiE of a cipher 
the cipher key is nonnnjly given as a 64-bit key in which Sj^xtra bits arc the 
which are dropped before the actual key-generation process, 35 shown in Figure 6. 1 U. 




owever, 
ty bits, 



Parity Drttp 

The preprocess before key expansion is a compression permutation that we call parity- 
bit drop. It drops the parity bits (bits 8, 16, 24, ... r 64) frumi the 64-bii key and per 
mutes the rest of the bits according so Table 612. The remaining 36-hit value is the 
actual cipher key which is used to generate round keys. The parity drop permutation Ca 
compression P-box"> h shown in '["able 6.12. 



SECTION 6.2 DES STRUCTURE 171 



H p i nc 6.10 Kc\ g cue tmrpn 



Key wiih 
panty bill 

(64 biu ) 




O 
O 



57 


4y 


41 


33 


23 


(7 




01 


5S 


50 


42 


34 




IS 


m 


02 


59 


51 


43 




& 


19 


N 


03 


60 


52 


44 


36 


63 




47 


i9 


31 


23 


LS 


07 


&z 


54 


.Ji"i 


3* 


30 


22 


14 


06 




53 


■15 




29 


21 


13 


05 


25 


20 


i2 


04 



CHAFTWO DATA 




TJ1QN STANDARD (DES) 



4> 



Shift f cfi 

After the straight permutation, the key is divided into two 28-bit parts. Each part is 
shifted left (circular aWiTUcme or two bits. In rounds t. 2, 9, and 16. shifting is one bit; 
in the other rounds, it iXjko bits. The two parts are then combined to form a 56-bit part. 
1 able 6. ] 3 shows the nurfftffrof shifts for each round. 

V 

I LI h Eu 6, J 3 Number vf bit *fijf<C\ 





I 


l 




4 




b 


7 


■ 


9 


(U 


it 


t2 


11 


H 




16 


Hit ibhtti 


k 


i 


7 




V 


3- 


2 


2 




1 


a 


■T- 


1 




2 




1 



( umprr.witm 1\ f ttt Hindu n 



The compression permutation (.MxuV£taigci the h\\s to 48 bits, which art used as 
il key fni ii pund. The compression pcrmi^on is shown in Tabic GJ4. 



14 


17 


it 


24 


15 




2i 


It) 


26 


OB 


16 


07 




52 


31 


17 


1 

M 


■15 




48 


34 


53 


46 


42 



21 



47 
44 

50 



05 
19 
It) 
55 



03 
12 

13 

59 



28 
lit 

32 



Algorithm 



o 



Let us write a simple algorithm to create round keys from ihi^y with parity bits. 
Algorithm 6.2 uses several routines from Algorithm 61. The ne^(u]}e is the shiftLeft 
muline, for which ihe code is given. Note that T is a temporal} blnclsQ 

Algorithm 6.2 Algorithm for tnund-keys generation 



Key ^eiiemtor (kcyWilhPBri[ie.|64|, RwindKeysJ I6 r 4S], ShiftTabtt!J6ft 
( 

penTuUe (64, 56, kje> WlrJiPariucs, cipherKty. FtirifyDrvpTtibie) 
split (5ft. 23, cipherKey. leftKey. righlKcy} 
for (round = 1 iu 16) 



I 



sbiftLeft (lefiKey, ShiflTabJelround] ) 

sIuflLeii fright Key, Shifaabtelrvund] ) 

combine 56. leflKcy. righlKey, pftRrwmEKeyi 

permute (56. 48, preRourfcdKey, Round Kc>T[rouad] r /ff^frvjn-^rww TtthU) 



SECTION 6.2 DES S77f fJCTURE 173 



Algorithm 6,2 Atg&rilhm for rpund-itrsA $cn£Tulhn (continued! 



shift Left fti? ndkfZE ] . mrmOfShifis) 
V^** fx - Ho ttwnOfShift*) 

^fur 0 - 2 to 2S) 

(Vt»l«k lj t] <-bJwk|jl 

1 % 



L\ LI Ell pics: 

Be tore analyzing DES. Ict^jbok at some examples to sec the hrtw entry prion antl 
decryption change the value outfits m each round 

Example 6.5 • > 

Wc choose n mndom pLmnic.it block son random key, and determine what ihe eiphexicjci block 
woidd be (aJ] in hex adedrnal) *\ 

O 

..... Q ^ UJJ .MI^L.,L,L. ... «A 

. Plaintext 123456ABCD1325il) ^Vrx Ke^:AABB0^l8273«CCDD 

CipherTtxt: C0B7A3DO5F3A829C v\ .! 

■ ' : 

Let lij; show the rfcsuh of each round and the tcj^crcatcd before and after tbt: rounds. 
Table 6.15 first shows the rank of eieps before starting ihe mund. The plajniext goes through 



Tkble 6,1 S Tmre of dam for ExampU 6.5 



O 



After ^-pthtnlg; L^i^aiBM| ■R^-^ fAi j 



Left 



Round } 
Round 2 
Round 3 
Round 4 



18GA18AD 
SA70E394 



5A7BE3 94 
4A12 3.0F6 

336779C2 



194CD072OEBC 

Q6EDA4ACF5B5 
DA2D03 2B6EE3 



CHAPTER 6 DA 7 A EN^ftFTION STANDARD (D£S) 

Table ft. 1 5 TrucSefdatu for Exampk & 5 (continued) 



Round Ji 
Round 6 
Round 7 
Round S 

Round 9 
Round tfl 
ttortn/i i I 
Round il 
Round /.T 
Hound f J 

R*>wul }f'\ 



X 

X 



2.1S779C2 
A15A4B&7 

2E8F9CG5 
A9FC2QA3 
30B3&E97 
10AF9D17 

BW20I?2AB 
]*M92J2 



A/rr r < M^to^.n; 3 WIA^Z 1 2CK26B472 



-5 



A1SA4BS7 


69A6 29P2C913 


2E6F9C65 


Cl9fl8E&7475E 


A9FC20A3 


7l38AD2DDB3Ca 


J06BEE97 


34F922F0C66D ' 


1DAF9D3? 


S4BB4473DCCC 


6CA6CB20 


0276S706B5BP 




6D5560AF7CA5 


22A5963B 




387CCt)AA 


99C31J97C91F 


HB2D&2AB 


2S1BSBC7L7D0 


CF26M72 


1 3330C^D9A36& 


CF26&472 
p- — ~ 


XeiC5in7SC66D 1 



(after final ptrtnuliuion) 



(nrl <tG 




section out of each 
reason is that the 
r moves it to ihc 
d round wnhuut 



c|lc- i ai i e l jk I pcitnuiaiitm io create completely different &4 W> hcxadcumal digit). After thi* 
Mep, the Ical ls» iptit Liiiw two halves, which we call 1^ an* R^The table show* the rcsuls of 
16 numdt ih;u invnKc mixing and swapping (except for the 1tf£il) round). 1>je results of the ltisl 
miitida (Lj b and Rj b l are combined. Finally die texl goes ihroLEjJiMtniLl pentiuEatton io create 

the CFphertex t. ^ q 

Some poiiiis are worth menlioning here. Fust, the ti 
round is the same as the left section out of the next roun 
right section goes through the mixer without change, but the & 
left section. For example R 1 parses through the mixer of the 
change, hut then il becomes L z because of the swapper. The imer^@ig point is that 
we do not have a swapper at the last round. That is- why R ]5 become^? instead of 
becoming Ljg, 

Example 6-6 O. 

Let us see how Bob. at the destination, can decipher the ciphertext received from Ali^Wng 
the same key. We have shown only a few rounds to save spscc. Table 6.16 shows some interest- 
ing points. First, the round keys should be used in the reverse order. Compare Table 6.15 and 
Tfcble 6. 16 r The round key for found 1 is the same as the round key for round 16. The values of 
Lq and during decryption are (he same as the value-* of L lfr and R| 6 dnringcncryT , |lin This 
is the mime with other rounds, This proves not only that the cipher and the reverse cipher are 
inverses of cuch nlher in the whole, but also that each round in the cipher hai a corresponding 
reverse round in the reverse cipher. The result proves chat the iniu'aJ and final peTmuLaTicin steps 
.j iv li I so inverses of each other 



SKCnQN 63 DKS ANALYSIS 175 



ah I c 6. 1 6 Tracer of dtiia for Example 6.6 



fiphtrtML Q")B7A3DQ5J3AS29C 




'rial permutation: J9BA9212CF26B472 
titling; L^19BA9212 %=CF26S472 



Ro 



fuuind 2 

■ ■ ■ 

ftrturul /5 



After TOmhmniEon M^HM7fi|ftCAl8AT> 



CF26B472 
L4A7I>G70 



BD2DD2AB 
3 6 7CCPAA 

IBCAlSAtt 
iBCAl SAT) 



18iCbD75C66D 



■ i . 



^fiaseiABccE 



UJctr ft ml |>:f miiLariiiri) 



63 DES A N A L Y$l S 

Critics have used a strong mt^Aa n> analyze DES. Tests have been dune tit menMire 
the strength of ^mc desired prt^pcVTie* m u block cipher. The clement* of DES hsive 
gone cliroLJ^h scniumcx to sec if th^avr met the established criteria. We discuss some 
o! these in this section. 



Properties 



IVo desired properties of a block cipher ar^tfjc avajarjche effect and ihe completeness. 
Avalanche Effect 




AvalaiKhc effect means a small change in the pWmxt lor key) should create a significant 
change in (lie dphcrtcat DES has been proved to KlQrine *tth regard to [his rjropertv 

o 

kxampif 6,7 ^\ 

To check the avalanche effort tn DES, lei us encrypt two plaintext blocks (with the same key) that 
differ only in one bit and observe lie dirTereoecs in ihe number ^Hjiis in each round. 

Key: 222345 120S7A^B^ 



Pliiijiswt-IXWOOOCfflDOOOOOOO 
Ciphcncxt 4735FD£76fc^A5F I 



CiphcrtejLi ftA4EDXT]5A£3KEA3 

-i -£ ^ \ "-■=-^>i< ■"•'SfiPU 



Key: 222345 129B7ABR 23 



Although the two plaintext blocks differ only in ibe rightmost bit, rhe ciphcrtext blocks dif- 
fer tn 29 hi 15. This means that changing appro jimalely i_5 percent o: 'he plaintc*! creates a 
change of approximately 45 percent in the dphertexL Table 6.37 shows the change in each round. 
1e phi-iws that significant changes occur as early as the laurel round, 



CHA PTER 6 DA TA f^GHYFUON STANDA RD (DESl 

1 Li hie (5.1 7 A'Gpiwr oj hit difference* for Emmpte 6. ? 





1 




J 




5 


6 


7 






10 | U 






M 






Mil rltfTcvLum 


1 






1* 


yo 


33 


33 




31 


J9 1 39 i 


23 


30 


31 


so 





Cnmpletmexs ffftcl . 

< 'ompk'tenras effect mesuTS that each bn of the etpherteAt needs to depend on many 
hits on the ptainlc&t The di(^)sinn and confusion produced by P-boxcs. and S-boaes in 
DRS, show st very strong; ronrf^tcness effect 

*> 

Di-si^ti Criteria 

TtWS design of DBS wa* revealed byrtl^M in 1994. Many lest* on DEIS have proved that 
it satisfied some nl I he rcijLsiTtd critcritaa& claimed. We briefly discuss some: of the.se 
design issues. ^ 



We have discussed ihe general design trritcria-fojS-bosua in Chapter 5; wc only discuss 
the criteria sdccicd I ctr DES here ITie design^Avides confusion and diffusion of hiis 
from each round to the nest. Accord iiije to ihis(£eWlanon and some research, we cao 
1 1 u- eiiih >n se vera 1 pn jperl ics of S ■ boies ; 

U The entries of eaeh row are pcrmuEij lions of valLjp between 0 and 15. 

2. Si-hones are nonlinear, In other words, the output *s*aot an aftine transformation of 
the input. See Chapter 5 for discussion on the Laieamv^f S-boxes_ 

3. If we change a single nil in the input, two or more bitsWilbe changed in the output 

4 r If two inputs to an S-box differ only tn two rmddle bulbils 3 ami 4). the output 
must differ in at least two bits. Ln other words, SU) anoVSxS 001 100) must differ 
in at least two bits where r ts the input and £(jc) is the outp\j)?\ 

5. If two inputs to an S-bo* differ in the first two bits {bits I amu?.) and arc the same 
in the last two bits (5 and 6), the two outputs musi be differ©. In other words, 
we need to have the following relation S(x) S{* ffi t IbcOO), in ^riich: b and c are 
arbitrary hits. 

6. There are only 32 6-bit input- word pairs {Xj and xj}+ in which jc r © Jt|^{OVXK)00) 2 , 
These 32 input pairs create 32 4-bh output-word pairs, If we create mt-dirTcreDce 
between the 32 output pairs, d a y i © yj, no more than 8 of these «f s sftedjd be the 
same. >0 



■ - 


1 







ft. Tn ajty S-box, if a single input bit is held constant (0 or I) and the other bits are 
changed randomly, the differences between the number of Os and I s are minimized. 



Between two rows of S-bones (in two subsequent rounds), there are one straight P-box 
(32 to 32) and one expansion P-box (32 to 48). These two P-boxes together provide 
diffusion of bits. We have discussed the general design principle of P-boxes in 



SECTION 6 J DBS ANA L YSIS 177 

\ 

^ftapfer Here we discuss only the ones applied to the P-boxcs used inside she DES 
function The following criteria were implemented in the design of P-boxes in 
ad^j^e this goal: 

1. f^^i 3-box input comes from the output of a different S-box (in the previous 

2. No n*frt£ to 3 given S box comes from the output from the same bos (in the previous 

3. The fou> fc^jpois from each S box go in six different S-boxcs (in the next round ), 

4. No two otfjptt bite from an S-box go to the same S-box (in the next round). 
55 , Tf we numbdMijp ci ghl S^boxcs, S |r S 2 Sg , 

a An output MA_^ gos* to one of the firsi two bit** of S^ {in the next round). 

b. An output bimwji S ; _ | goes to one of the lust two bits of S ; (in the next round). 

c An nuipui »f S^«^oc* to one of ihc two middle bits of S ; tin the next round). 

6. For each S-box* iheV • ^Mirpui bus go to the firsi or last iwo bits of on S-box in the 
next round. The Ofhertw^outpuL bits go to (ike middle bits of an S-box in ihe next 
round. \ 

7. If an output bit from Sj gt>£^*o one of the middle bits in S± fin U*e next round). Then 
an output hit from S k eannoQp in the middle bit of S, If we let / = k r this implies 
that none of the middle bits *^n S-box can go to one of the middle bits of the 
same S-box in the next round- 

Number of Rounds 

DES uses sixteen rounds of Fetstet ciphers Jt has been proved that after eight rounds 
each csphcrtcxl is a f unco on of even ptaimAt bit and every key bit; the dphcrtexl is 
thoroughly a random function of piaintca^C^d ciphertext Therefore, it looks like 
cighl rounds should be enough. However, exponents have found thai DBS versions 
with less than sixteen rounds .ire even mure ^jtlpable to known -plaintext atl neks 
than brute -force attack, which justifies the use oHiixteen rounds by the designers 
of DES. 

DES Weaknesses • 

louring the last few years critics ha%e found some weakneC^in DES. 
Weaknesses in Cipher Design 

We will briefly mention some weaknesses that have been found in the design of the 
cipher. 

S-boxcs At least three weaknesses arc mentioned in the literature for S-boxes. 

3 . In S-box -i. Ihe last three output bits can be derived in the sank: way as the hrsi lhie- 
pu[ hi by complementing some of the input bits. 

2. Two specifically chosen inputs to an S-box array can create the same output. 

3. It is possible to obtain the same output in a single round by changing bits in only 
three neighboring S-boxes. 



CHA PTER 6 DA TA EfrgpYFTJON STANDARD (DES I 

IMmxes One mystery and one weakness were found in the design of P-boxes: 

1 Tt is not clcar^^iy The designers of DES used the initial and final permutations; 
ihe.se have no se^rfiiy benefits. 

2. In the expansion ^S^ntai ion i in*,iJe the function), the first and fourth bits of every 
4-bit scries are repWjs 

Weakness m the Cipher . 

Several weaknesses have bee^nmd iti the cipher key 

Kt-y Si/e ( run believe ihaS^c most serious weakness of DES is in Us key size 
(56 bits). To do a bruie force atlaAf on a given ciphcrtcai block, the adversary needs 
to check 2 -W keys. v^S 

a. With available technology* lUOpyssiblc to chock one million key* per second. 
This means that we need morerWi two thousand years to do brute- force attack:; 
on DES using only a computer wilrmne processor. 

b. If we can make a eompuler with Xjn^mif lion chip* (parallel processing K ihcrt 
we can tcs-l the whole key domain kj. approximately 20 hours. When DBS was 
unjiHluced, i he tost of such a computrfpfra* over several million dollars, bin the 
a>si hiLs dropped rapidly, A special con^Sitcr was built in 199*t that found the 
key in 1 12 hours. ^ 

e. Computer networks ean si mo Lite parallel processing. In 1977 a team of 
researchers used computers attached to Thc^htcrnet io rind a key challenged 
by RSA Laboratories tn 120 days. The key dWitam was divided ,mumg all of 
these computers, and each computer was respiV^Kilile to check the part of the 
domain. Q 

d. If 350O networked computers can lind the key in 1 2(j^ys T a secret society with 
42,000 members can find the key in 10 days. 

The above discussion shows that DES with a cipher key of 56 tttf^is twt safe enough to 
be used comfortably. We will sec later in the chapter thai one solution is to use triple 
DES (3DES) with two keys (112 bits) or triple DES with three kevVniS birs). 

Weak Keys Four out of 2^ 6 possible keys are called weak keys. A weak key is the 
one ihat, after parity drop operation (using Table 6.12). consists either ota\] Us, all Is, 
or half 0s and half is. These keys arc shown in Table 6-18. v ^ 

Table fi. I S WeoJfc 



, Keys before parities dmp (64 bits) ' 


1 J ■ \ M 1 

Actual key (56 bits } 


0101 GflOl 0101 0101 


"jGOOOOQ 0000000 


1F1F 1F1F OEOE QECE 


0000000 FFFFFFF 


EQEQ EOEO FIFI F1F1 


FFFFFFF tfOOQOaO 


FEFE FEFE FEFE FEFE 


FFFFFFF FFFFFFF 



The round keys created from any of these weak keys are the same and have the 
same pattern as the cipher key. For example, the sixteen round keys created from 
the first key is all made of t>s; the one from ihe second is made of half Hs and half \ s. 



SECTION & 3 DE$ ANALYSIS 179 



^Ehc reason is that the key-generation algorithm first divides the cipher key into two 
halves. Shifting or permutation of a block docs am change the block if it is made of 
nl^J^ or all Is. 

tat is the di^vaniapc of using a weak key? If we encrypt a block with a weak key 
rid -tfibsoqnentiy encrypt she result with the same weak key, we get Lhe original block, 
creates the same original block if wc decrypt the block twice. In other words, 
ey is the inverse of itself Et(Eti Y)\ - K as shown in hrurc 6. 1 1 , 

(5) 

e> : 

I 1 i^UtT 6. 1 1 IfyAihlt tntrypfoon and dtcryptwn wjfA a weak Krk 



She 

each w> 





I 



w ^ 




I 



Weak keys should be avoided beca© the adversary can easily try them on the 
intercepted cinbcrtcxt If after two decryp^i^K the result is the same, the adversary has 
found Ltic key. -rCA 

<> 

hxamplr 6.8 

1x4 us tiy (he first weak key in Table 6.1 S to encrypt a Wo^k two times. After luvo encrypt in 
with the same kzy (he original plaintext bjock i* created, rfole thai wc have used she encryption 
algorithm iwd limes, not arvc encryption followed b\ anoth^ decryption. 

O' 

o 



KeyiCkxOlOlOlOlOlOIOlOt 
Plaintext Qxl234S67$g?65432! 



Key: Oxt)l 010101 0 10101 fll 
PlaiMtjU: ] 4FE9 38589 1 54F7 



Si.- mi eak Rev* There are six key pairs that are called senit-wcak keys. These, six 
pairs are shown in Tabic 6. 19 (G4-bil formal before dropping the parity bits). 

A semi -weak key creates only two different round keys and each of them is 
repeated eight times. In addition* the round keys created from each pair are the same 



\ 



SECTION 6 J BES ANALYSIS 179 



Jhe reason is that die key-generation algorithm tirst divides the cipher key into two 
halves. Shifting or permutation of a block does not change the block if it is made of 
alrm^rail Is. 

Wiat is the disadvantage of using a weak key? 11" we encrypt a block with a weak key 
and sifi^Wendy encrypt the result with the same weak key, we get the original block. 
The proSpfc creates die same original block if we decrypt die block twice. In other words, 
each weakly is the inverse of itself E^-fE^F)) = R as shown in Figure 6. 1 1 . 

- — 

Figure 6.11 Ds^& encryption urni decryption with a weak key 

4>~ 



A weak key 





1 




64-bit leja 



Weak keys should be avoided becaus^TJsc adversary can easily try ihem on the 
intercepted ciphertest. If after two decryptfu^rthe result is the same, the adversary has 
found the key. 



Example 6 r $ 



O 



Sled 



I et ii 5s try the first weak key in Table 6- IS to encrypt a Ebck two limes. After two encryption* 
with the raffle key ihn tingirial plaintext block is created. N%t& that we have used the encrypiirm 
algorithm iwo timcs n not one encryption followed by amitbcF ^ec^yptlon, 

Key:0*Q30l0101Q1010IGl ^ 
ftainte* L: (hi 2$45678ti76J4321. CiphcrteaE: QcjES 1 4FE<ti»5S9] 54K7 



Key: I>xi)l030l(>l SOlCJIOl 
PlritiicxL; 0k8L4FE93S589'154P? 



Hera i- weak Keys There are six key pairs that arc called semi- weak keys. These six 
pairs a rti shown in Table 6- 1 9 (64-bit format before- dropping the- parity bits). 

A semi -weak key creates, only iwo different round keys and each of them is 
repeated eight times, In addition, the round keys created from each pair are the same 



CHA PTER 6 DA TA R$£RYPTlON STANDA RD (DES) 

la hie &4 9 Semi-weak keys 

Mi 



in. the pair ■'■ 



1FE0 IF 



OlEU D1E1 



witli different orders, 
pairs as shown below 




1FFE iffe a 



OUF 011F 01 



EO&Ti E.0FE FiFETTO 



— 



PRO 1 FEOI FEOl FEOl 



EfllF E01F F10E FIDE 



EflQl E0O1 F1Q1 F101 



FE1F FSIP FEOE FEOE 



1FQX 1F01 0E01 0ED1 



FBEO FEED PEFl FEFl 



To show theri^a, we have created Lbc round keys from the first 



• -f| I 1 M . y 

Round key. 2 

Round k^y 4 
R<iatid fay J 
Round §ey/6 
Roumi^y^ • 
Round key & 
Round ^ey 9 
Round fey 10 
Raund key II 
Round hey 12 
Round key 13. \- 
' Round key J 4 
RouTidkey 15. 
Round key 16 



V 




Vnfc'fl^MC't -U^i-W .'-V..". ■ 





E* 



i-i Hi* H ■ .ml i V >Vi ill £.4 ■ 




As the list shows, there arc eight equal round keys in each seikWwcak key. In addi- 
lion, round key I in the first sei is Use same as round key 16 in the second: round key 2 
in die first is the same as round key 15 in die second; and so on, Thi^ means that die 
keys are inverses of each other E^(E fc| (F)) = P , as shown in Figure 

— % — 
— ^ — 



Figure £t,12 A jwir of semi-weak keys in Encryption and decryption 



64-bn ki\i 






r 




Dl 


2£ - 


k, 










DES 




cipher 


■4—. — - 


■ 






64- bit text 





A pssr of 
tcmi-weak keys 



\ 



SECTION 6. 4 MULTIPLE DES 18 1 



.Possible Weak Keys There are also 48 keys that arc called possible weak keys. A 
jWble weak key is a key that creates only four distinct round keys; in other words, the 
sbr^i round keys are divided into four groups and each group is made of four equal 
ronm keys, 

What is thi^ihability of randomly selecting a weak, a semi- weak, or a possible weak key? 
Solution ^ 

DES has a keyXjp^ain of 2 56 . The comJ number or the above keys Hie 64 (4 + 12 + 43), The prob- 
ability of ehoosii^nc of these keys is S JX it)" 1 * almost impossible. 

Key Conipkinen^)ln the key domain (2 5 *X definitely half of the keys are comple- 
ment of the other ha^ft k&y complement can be made by inverting (changing 0 to 1 or 
1 to 0) estch bit in the Wfc Does a key complement simplify the job of the cryptanaljwfc? 
It happens that it doeV E&rfe can. use only half of the possible keys (2 55 Mo perform 
brute-force attack. Thin ft b^ause 



In oilier words, if we encr>pLthe complement of plaintext with the complement of 
the key, we get the complement fcWhe ciphertext. Eve does not have to lest alt 2 % pos- 
sible keys, she can lest only half olkhe^n and then complement ihe result. 

tCxample 6,10 

Let us test The claim about the complement Wc have used an arbitrary key and plaintext to 
find The corresponding cLphertext. [f wc have /the key complement and the plaintext, we can 
obtain complement of the previous eipbencsuEllabie 6.20]. 

Table 6.20 Results f$r Bmmpte 6.10 



Kir- 



Plaintext 



ertexL 



Original 



13341234153^1 1234 



123 4 5£7SABCDEFi2 



E112BE1DEFC7A367 



EI>CBE DC 13 KlXBE DC B 



• EDCBA9B7 543210ED 



Key Clustering Key clustering refers to the situation in wfifcb two or more different 
keys can create the same ciphertest from the same plaintext Obviously, each pair of the 
semi -weak keys is a key cluster. However, no more clusters have been found for the 
DES. Future research may reveal some more. 



6.4 MULTIPLE DES 

As we have seen., the major criticism of DES regards its key length. With available 
technology and the possibility of parallel processing, a brute-force attack on DES is 
feasible. One solution to improve the security of DES is to abandon DES and design a 
new cipher. We will see this solution in Chapter 7 with the advent of AES. The second 




:HA PTER 6 DA TA ENm^TION iT-A JVfMtfD (DES) 

solution is to use # multiplc (cascaded) instances of DES with multiple keys" this solu- 
tion, which has be^iis^d for a white, does not require an investment in new software 
and hardware. We stiKrathc second solution here. 

As we learned in(SJ)apter 5, a substitution that maps every possible input to 
every possible output is ^oup, with the mappings as the set elements and the com- 

X^f^this ca* 
lindStijjM third 

the two (closure property). Tlfiymcans that if DES is a group, using double DBS with 
two keys k } and k 2 is useless $0tuse a single DES with key k 3 does the same thing 
(future 6,13). y>* 

\ 

Ligure 6*13 Composition of mapping \j> 



- * j tgrt i - tr jt a - " - - ■ - — * — — t--- 

position as the opcratorM^thts case, using two consecutive mappings is useless 
because we can always JincNJjpjhird mapping: that is equivalent to the composition of 



All possible 
blocks 



All pO£.sit>Le 
2^ flocks 



All ptttKsbk 
2 M blocks 





fusing 1^) 



, 


^ (using kj) 

















rib - _ - 

.1 • 



Third nmppi D.|! 



vuChwo 



fortunately DES is not a group, based on the folio win^tjo arguments: 

a. 'J'liii number of possible inputs or outputs in DES is N>p 2 64 This means that 
we have N! = C2 64 )! - Dnc way . to make 

DES ajroup is lo make it support all of these mappiita^ith the key size of 
togi(2 I) fd 2 70 bits. But we know dial the key length tiCpES is only 56 bits 
(only a small fraction of tliis huge key). Q 

b, Another way for DES to be a group is for die set of mappings tc^fi&a subset of the 
set in the sense of the first argument, but it has been proved that none of the sub- 
groups created from the group in the first argument, have a key sizep£J>6 bite. 

If DES i$ not a group, it is highly improbable lliat we can find a key. K^^ueh thai 



E*2 (E K (P)J - Kia (P) ■■■ 



3> 



3 



This means that we can use double or Triple DES to increase the key size. 



Double DES 

The ftrsE approach is to use double DES (2 DES), In this approach, we use two 
instances of DES ciphers for encryption and two instances of reverse ciphers for 
decryption. Each instance uses a different key, which means that the size of the key is 
now doubled (112 bits). However, double DES is vulnerable to a known -plain text 
attack, as discussed in the uext section. 



SECTION 6.4 MULTiPiJg'WS Htf 



% . 

fMef(^iii-the-Middle Attack 

ojance. it looks like doubts DES increase* the number of tests for key srareh 
froftp (in singlo DES) to 2 ni (in double DES). However, using a known-plaintext 



allaclO^Ued meet-in thu- middle attack proves Lbat double; DBS improves this vul 



ability Mtly (to 2* 1 tests), bat not tremendously {to 2 EU ), Figure 6.] 4 shows the dia- 
gram foftfjj double DES. Alice uses two keys, &j and kj s to decrypt plaintext P into 
cipbertextY^ob uses eiphertext C and two keys, k z and k la to recover R 



figure 



<SJ4 ^ 



■dti-the-middc* attack for double DES 



£ 1 
i 

I 
z i 



M 



^4 -frit plaintext ' 


















i 




« 1 

"ier 




r 


64-bi t ci 


phwtexi"] 



fr-1-bii |i3ai:in-^i 



1 




i 






revcTTLC cipher 



o 



The point is that the middle text, the tej^fyated by the fivsl encryption or first 
decryption, tVT. should be the same- for encryption aptidecryptiotn to work. hi other words ■ 
we have two relationships: ^ v 



ami # M - D 



CO ■ 



Assume that Eve has intercepted a previous pair P and-€ (known-plaintext attack). 
Rased on the first relationship mentioned above, five enciW&P using a]] possible val- 
ues (2 } of'K E and records all values obtained for M. Based^? die second relationship 
mentioned above, Jive decrypts C using all possible values (2 56 ) of k 2 and records all 
values obtained for EVf. Eve creates two tables sorted by M values. She then compares 
the values for M until she- finds those pairs of k L and k 2 for which the value, of M is the 
same in both sables as shown in Figure 6. 15. Note that there must, be at least one pair 
because she is doing exhaustive search on the combination of two keys, 

I If there is only one match, Eve has found [he two keys (k ( and kj). U there is more 
than one candidate. Eve moves to the next step. 

2 m She lakes another intercepted pta i i .lex t ci phertext pair and u scs each of the candidate 
key pairs to see if she can get the ciphertext from die plaintext. If she finds more than 
one candidate key pair, she repeats step 2 until she finally finds a unique pair. 



4. 

i AFTER DATA ENC. 




NONSTANDARD (DES} 



Figure ft. 1 5 Tables ^byyratf gf - in-i he-middle attack 



to = d^co 





M 

. • ... 


. — 1 


• 

. ■.. : J. 


T 

i 


5T. 





| 


t 
i 

i 





Find equal M's aM reetoA.^ mspmsdii^ fc L acid kn 

^ 



It has been proved that after applying th^fecond step tp a few intercepted plaintext* 
cipheftexl pair*, the keys are found. This merits thai instead of using 2 J L - key-search 
tests, Eve uses 2 5 * key-search tests two LtmcTowEh some more tests if more than a sin- 



gle candidate is found in the first step). In ohncj> words, mo ving from single DES to 
double DES, we have increased the strength fraHy^io 2 37 (not to 2 l 12 as it is beiieved 
superficially), q\ 

® 

THple DES • > 

To improve the security nf DBS, triple DES (3DES) mlgxopoxtd. This uses three 
stages of DES for encryption and decryption. Two versi^nTof triple DES are in use 
today: triple DES with two keys and triple DES with three k«Q 

Triple DES with Two Keys \$\ 

In triple DES with two keys, there are only two keys: and k^tlie^rst and the third 
stages use k 3 ; the second s£age uses k 7 . To make triple DES comp@b!c with single 
DES, the middle stage uses decryption (reverse cipher) in the encr^tion site and 
encryption (cipher) in the decryption site. In this way, a message encrypted with single 
DES with key k can be decrypted with triple DES if k x = k 2 == k. Atuiou|hjtdple DES 
witti Lwo key, is also vulnerable to a knowit-plaintexl attack, h is much stKm^cr than 
double DES. It has been adopted by the banking industry, Figure 6.16 shows tfcpL DES 
with two keys, 

Triple DES with Three Keys 

The possibility of known-plain test attacks on triple DES with two keys has enticed 
some applications to tisc triple DES with three keys. Although the algorithm can use 
ihree DES cipher stages at the encryption site arid three reverse cipher stages at the 
decryption «ite p io be compatible with singJe DES, the encryption site uses EDE and the 
decrypt] on site uses DED (E stands for encryption and D stands for decryption). Com- 
patibility with single DBS is provided by letting k { = k 3nd setting k 2 and k 3 to the 
same arbitrary key chosen by the receiver. Triple DES with three keys is used by many 
applications such as PGP (See Chapter 16). 



SECT! ON R-J SECURITY Of DES 185 



igurc 6. 1 ft friplc DES with two foy.i 



2 



64-bit plaintext] 



DL-S 
cipher 



s 




t>ES ■ ■ 



DBS 



■ — 1 1 



I 



DES 
cipher 



S 

E 



■DES 
reverse riph cr 



i [ 



64-bil cipbehcxt 



6.5 SECURITY OF®ES 



DES, as the first important block i°i>h«£ has gone through much scrutiny. Among the 
attempted attacks, three are of intereski^e-force fc differential eryptanalysis, and linear 
cryptanalysi& 

O 

Brute-Force Attack ^ 

We have discussed the weakness of short ciprt^JVey b DES- Combining this weakness 
with the key complement weakness, it is cJ^r)hat DES can be broken using 2 5 * 
encryptions. However, today must applications i/§k either with two keys (key 

siic of 112} or 3DES with three keys fkey ^zc ™, These two muUiple-DES ver- 
sions make DES resistant to brute- force attacks. ^ 

Differential CryptanaljMs O 

We discussed the technique of differential cryptanalysis O-modern block ciphers in 
Chapter 5. DES is not immune to that kind of attack Howevgpt has been revealed thai 
the designers of DES already knew about this type of attack and designed S-boxes and 
chose \6 as the number of rounds to make DES specifically resistant to this type of 
attack. Today, it has been shown dial DES can be broken using differentia] cryptanalysis 
if wc have 2*' chosen plaintexts or 2 55 known plaintexts. Although this looks more effi- 
cient than a brute-force attack, finding 2 47 chosen plaintexts or 2 55 know plaintexts is 
impractical, Therefore, we can say that DES is resistant to differential cryptanalysis. It 
has also been shown that increasing the number of rounds to 20 require more than 2 W 
chosen plaintexts for this attack, which is impossible because the possible number of 
plaintext blocks in DUS is only I 64 . 



■ 



(AFTER 6 DATA ENCgfPTlON STANDARD (DES) 

^^^^^ 

4. 



We show tin example of DES differential cryptanalysis m Appendix N. 

■ ^SH 

linear (>yptanajy&s 

We discussed the techniqfi^ninear eryptanalysis on modem bktck ciphers in Chapter 5. 
Linear cryptanalysis. is ncvotf^ntrmn differential eryplanalysis. DES is more vulnerable to 
linear eiyptanaly sis than Us ui^iential cryptanalysis* probably because this type of attack 
was not known to the designer^ oWDBS, S- boxes are not very resistant to linear cryptanal- 
ysis. It has been shown that DF^^caji be broken using 2^ pairs- of known plaintexts. Flow- 
ever, from the practical point of vie^ finding so many pairs is very unlikely. 



We show an example at LN^S) luteal 1 try ptanaly^is in Appendix N. 




6.6 RECOMMENDED READING 

I lie following books and websites provide m^r&Jetaiis about subjects discussed in this 
chapter The items enclosed in brackets [ + . .] refer t^he reference Est at the end of the book: 

Books 

[Sta06I, [Simi IRhe03], [Sal03] T [Mao04], and discuss DBS. 



WebSites 



<5 



The following websites give more information about topics^teeussed in this chapter. 

1 itip ://www.i Ll r fibtgo'v/ftpspu^s/rlp4i>-2;htm 

www.niRt^oWdircclor/prog-a^^ ■ 

www,eng£mn]p^ca/^h™ard^P^^ . ps 

is!ab:^e^n^!tt.*Mnilft£^ 

Jloincs, 



•■TV. 




pCtuiij 



it 

o 



6.7 KEY TERMS 

avalanche effect 
completeness effect 
Data Encryption Standard (DES) 
double DES (2DES) 

t'edcrai Information l^oeessing Standard 

(FITS) 
key complement 
meet- in-thc- middle attack 

National Institute of Standards and Technology 
(NIST) 



O 

Natioua] Security Agency (N8a) 

parity bit drop * 

possible weak keys 

round-key generator 

semi -weak keys 
niple DES (3 DBS) 

triple DES with three keys 

triple DES with two keys 

weak keys 




SECTION 6.9 PRACTICE SET 1S7 



SUMMARY 

Dm Encryption Standard (DES) is a symmetric-key block cipher published 
bylhe Nation Ed Institute of Standards and Technology (NIST) as HPS 46 in the 

□ At th^Acryprion site, DES takes a 64-bit plaintext and creates a 64-bit tipbertext. 
At the ^Siryption site, DES takes a 64-bit cipbertext and creates a 54-bit block of 
plaintcxt^c same 56-bit cipher key is used for both encryption and decryption. 

□ The encryfrf^ri process is made of two permutations fF-boxes), which we call 
initial and fii^ermtitations, and sixteen Feistel round*. Each round of DES is a 
feisld cipher two elements (mixer and swapper). Each of these elements is 
itivertible. >r 

□ The heart of DE^k^e DES function. The DES function applies a 48-bil key 
to the rightmost 32%\k tp produce a 32-bit output. This function is made up of 
four operations: an eH^ansion permutation, a whitcner (that adds key), a group 
of 5- boxes, and a straigl^crrnutatton + 

□ The round^key generator (^ftales sixteen 48-bit keys out of a 56-bit cipher key. 
However, the cipher key is normally presented us a 64-bit key in which 8 extra bits 
are the parity bits, which are <J^ped before the actual key-generation process. 

□ DES has shown a good performance with respect to avalanche and completeness 
effects. Areas of weaknesses in DES^include cipher design (S -boxes and P-boxes) 
and cipher key (length, weak key ^jm- weak keys, possible weak keys, and key 
complements). \^ 

□ Since DES is not a group, one solution Qbprove the security of DES is to use mul^ 
tiple DES (double and triple DES). DovblOkES h vulnerable to meet^in-the-middlc 



attack, so triple DES with I wo keys or three^s is common in applications 
The design of S-boxes and number of round^)kes DES almost immune from the 
dtfTcrcntid crypmualysis. However, DES is vultfEtable to linear cryptanalysis if the 
adversary can collect enough known plaintexts.^^ 



63 PRACTICE SET O 

Review Questions 

1. What is the block size in DES? What is the cipher key si£c in DES? Whai is die 
round-key size in DES? 

2 . What is the numbe r of rounds S n DES ? 

3. How many mixers and swappers are used in the first approach of making encryption 
and decryption inverses of each other? How many are used in the second approach? 

4. How many permutations are used in a DBS cipher algorithm? How many permuta- 
tions are used in the round-key generator? 

5. How many exclusive-or operations are used in die DBS cipher? 

6. Why does the DES function need an expansion permutation? 



HA PTRR 6 DA TA EN&MPTiaN STANDA RD {DES} 

7. Why tloes tli* round-ley generator need a parity drop permutation? 

8 . What h the J i fH$uce bcLweeu a weak key, a semi- weak kcy t and a possible weak key? 

9. What is double What kind of attack an double DES makes it useless? 

10. What is triple DE$^Vhat is triple DES with two keys? What is iriple DES with 
three keys? 

Exercises ^ 

1 1 . Answer the following ques^is about S-boxcs in DBS; 

a. Show the result of ^sbaaJAfll 1 1 through 5-bo* 3 

b. Show the result of passing imi 00 through S-box 4. 

c. Show the result of passing OfSOlM) through S-box 7. 
a. Show the result of parsing I I ni\lh rough S-box 2. 

1 2. Draw the table to show fhe result or^sing 000000 through all 8 S-boxes, Do you 
see a pattern 3 n the ou tputs? ^ * 

13. Draw the table to show the result qf paMnj- 111111 through all K S-boxes Do you 
sec a pattern in the outputs? 

34. Cheek the third criienon for S-box 3 using (^e following pairs of inputs. 

a. OCKKKJO and .00000] O 
& 111111 and 111011 • v 

15. Check the fourth design criterion for S-box 2 us*(fphe foi lowing pairs of inputs, 

a. 001100 and 1 10000 \S 

b. M00 11 and 001 1 1 1 O 

16. Cheek the fifth design criterion for ^box 4 using the fitting pairs of inputs. 

a, 001100 audi 10000 \$l 

h 11001] and 0011 U yt^) 

17. Create 32 6- bit input pairs to cheek the sixth design criterion ^ S-box 5, 

18. Show how the eight design criteria for S-box 7 are fulfilled. ^\ 

19. Prove the first design criterion for P boxes by cheeking the ihput to S-box 2 in 
round 2. 

20. Prove the second design criterion for P-boxes by checking inputktA S-bofc 3 iu 
round 4. 

at, Prove the third design criterion for P-boxes by checking the output otVSJfcox 4 in 
round 3. 

22, Prove the fourth design criterion for P-boses by cheeking the output of S-box 6 in 
round 12. 

23, Prove th& fifth design criteria for P-boxes by checking the relationship between 
S-boxes % 4, and 5 in rounds 10 and 1 1 - 

24, Prove the sixth design criteria for P-boxe* by checking the destination of an arbi- 
trary S-box. 

25, Prove the seventh design criterion for P-boxes by checking the relationship 
between S-box 5 in round 4 and S-box 7 in round 5, 



2a SECTION 6,9 PRACTICE SET I By 

2§. Redraw Figure 6,9 using the alternate approach 

27^Jjdvc that the averse cipher in Figure 63 is in fact the id verier of the cipher for a 
g^^romid DES. Starr with a plaintext ai the beginning of the cipher and prove 
tH^rou can get the same plaintext at the end of the reverse cipher. 
28, OuWptfy study the key compression permutation of Table 6.14. 



a. Whisk input ports are missing in the output? 
a>rWt 24 

e_ Do allViW 24 output bits come from all right 2S input bits? 



b Do hi Ml 24 output bits cos tie from all left 2S input bits? 



29. Show die n^utarf the to] lowing hexadecimal daia 

\>\ 0110 ]I32.T 41 10 1023 

after passing it tKraugh tilt initial permutation box. 

30. Show the results tifW following hexadecimal data 

after pacing it through^ final permutation box. 

31, If the key with parity bh f&4 bits) is 0123 ABCD 2562 !456 h find the first round 

32, Using a plaintext block of all<Gsand a 56-bit key of all Gs, prove the key-complement 
weakness assuming Lhai DBS iQdade only of one round. 

33_ Can you devise, a meet-in-ihe- middk attack for a triple DF,S ,? 

34, Write pseudocode for the jwrmNfe©iLine used in Algorithm 6 A: 

permute (u, m 3 LnBlockiii], o iii{fl^c k [ m ] + perm uuxtiwt Ihbtefm () 

35 . Wr j te pseudocode for the 0Hi rou ti ue us^j^ Algori thm 6 . t : 




split (n, m± in!Hock[D], IcfmioAft^^iglitBIticklrjiJ) 

36, Write pseudocode fur the combine routine used ifC^lgorithm 6.1; 

mmbine ^ m, leFtBlockLnJ, riEhtBlack[n|,^B]ock[ml) 

0* Write pseudocode for the exclusive Or routine used in A^a^hm 6 J : 

eveliLSivtiOr (n, firstliiVLock[nJ, second I nlilockLn], oiitliNxk[n]) 

3S. Change Algorithm 6.1 to represent the alternative approach. 

W. Augment Algorithm 6.1 to be used for both encryption and decryption. 




Objectives \$ 

In ihis chapter, wfedjscuss the Advanced Encryption Standard (AES), the 
modem synnnetric^W block cipher that may replace DES. Tins chapter 



has several objectiv 

□ To review a .short tS^ry of AES 

□ To define the basic stature of AES 

□ To define the transformations used by AES 

□ To define the key expansl@ process 
J To discus different implementations 

The emphasis is on how the alg^bhiic structures discussed in Chapter 4 
achieve; the AES security goals. v>^ 

- . 

7.1 INTRODUCTION C> 

Q 

Uic Advanced iincryplian Standard (AES) is a symmetric-Joey block cipher published 
by the National Institute of Standards nndTwlinolW^NlST) in December 2001, 

In \997 , NlST slatted looking lor a replacement for Dl-Jvwhieh would be called the 
Advanced F£n<:rypUon Standard or AES. The NlST specifications required a block size 
of 128 bits and three different key sizes of 123, 192, and 256 bits. The specifications 
also required that AES be an open algorithm, available to tilt public worldwide. The 
announcement was made internationally to solicit responses from all over The world. 

After the First AES Candidate Conference, NLST announced that 15 out of 21 
received algorithms had met the requirements and been selected as the first candi- 
dates (August I99fi), Algorithms were submitted from a number of counties: ihi; 




! • 




CHAPTER 7 ADVANG&^EtiCR YPTION SI 'ANDAHJJ (A ES) 



4> 



variety of these proposal s demonstrated the openness of the process and worldwide 
participation. ^ 

After the Second^ES Candidate Conference, which was held in Rome, NTST 
announced that 5 outm. 1 5 candidate!* — MARS, RC6 r Rijndael, Serpent, and TWofisk — 
were selected as the finai^ (August 3999). 



After the 7 Jz rrd A ES Candidate. Conference, NIST announced that Rijndael, (pro- 
nounced tike "Rain Doir),(^ signed by Belgian researchers Joan Daemen and Vincent 
Rijmeni, was selected as Adi^fced Encryption Standard (October 2000)- 

In February 2001, NIST anjtiWced that a draft of the Federal Information Process- 
ing Standard (FIPS) was availsMJle>fer public review and comment. 

Finally, AES was published mF^S 197 in the Federal Register in December 2001, 

Criteria 

[lie LTticria defined 

* n,st m aes Ml -»»° n- WW — * m, W 

implementation. At [be end, Rtjrukwl was^dged the best at meeting the combination of 
ihcse criteria. q\ 

Security 

The main emphasis was on security. Because mSfkexplicitly demanded a l2S-bk key. 



this criterion focused on res is Nance ro aypranaly si Stacks other than brute-foree attack. 
Coat \^ 

The second criterion was cos^ which covers the coinpuj^rlonal efficiency and storage 
requirement ["or different implementations such fts hard wa^ software, or smart cards. 

Implementation 

This criterion included tbs requirement that the idgorithm ra^l have flexibility (be 
jmplementable on any platform) and simplicity, X\J 

Rounds 

AES is a non-Feistel cipher that encrypts and decrypts a data block of»128 bits, it uses 
1Q T 12, or 14 rounds, The key size, which can be 128 T I92 f or 256 bits, ^ejicndfi on the 
number of rounds. Figure 7.1 shows the general design for the encryptit^ilgoritbui 
[called cipher); (he decryption algorithm (called: inverse cipher) is similar. bu^jjbe round 
keys arc applied in the reverse order. < 

In Figure 7, 1 , N r defines the number of rounds. The figure also shows the relation- 
ship between the number of rounds and the key size, which means mat we can have 
three different AES versions; they are referred as AES- 128, AES- 192, and AGS -25 ft. 
However, the round keys, which are created by the key -expansion algorithm are always 
128 bits 5 the same size as the plaintext or ciphertext block, 



AES has defined three versions, wuh 12, and 14 rounds. 
Each version uses a different cipher kej siae (128, 192, or 256), but the round keys are 

always 128 bits. 



SECTION Z J INTROD VCIIOM 1 03 



S'l gu re 7. 1 General design of A ES encryption cipher 



4 



V2S-bit plain lest 




[126 bits) 



R(njiwJ 1 



K, 



K- 



(slightly di 




0 



K 



,v. 



4J- 



Cipher key 
(I2&. 192, ch-256 hi*} 









J ■ -.if 


id 




12 




H 


256 



number of rounds 
and cipher tey stte 



1 7.K-blt 



The number of round keys generated by (he key ^expansion algorithm is always one 
moire Than (he number of rounds? lather words, we have 

mber^jpronnd keys = N r + I 

We refer to the round keys as Kj> h ^ K 2 , ., . 

Data Units ^ 

AES uses fwe units of measurement to refc^)o data: bite, bytes* words, blocks, and 
ssale. The bit b the smallest and atomic unit; (Jtj)cr units can be expressed in terms of 
smaller ones. Figure 7.2 shows the non-atomic d^&units: byte T word, block, and state. 



Bit 

m 

hi AE£ n a bit is a. binary dipt wills j value of 0 or I 
to a bit, 

Byte 



sc. a lowercase letter to refer 



A byte is a group of eight bits that cart be treated as a single entity, a row matrix (1 x 8) of 
eight hits, or a column matrix {8 * I) of eight bits. When treated as a row matrix, the bits 
are inserted to the matrix from left to right; when treated as a column matrix, the bite are 
inserted into the matrix frorn top to bonom. "We use a lowercase bold letter to refer to :i byte. 

Woni 

A word is a group of 32 hits, that can be treated as a single entity, a now matrix of four 
bytes, or a column matrix of four bytes. When k is treated as a row matrix, the bytes are 



:HA I'TER. 1 ADVANCFAENGRYPTiON STANDARD {AES) 

^ 



FiEure 7.2 DutiAmite used in AES 



Byte 




.|b 0 B] e 2 b 3 J 

w 



Word 



1 1 



1 1 



h 



IF 



'I! 



'15 



If, 1 



W t W 3 W;J 



■:i 



lj j 



inserted into the matrix from left to right; whe&k is coVtfdejred as a column matrix the 
bysc^ arc; inserted into the matrix JVoni Lop to bottom. vj£u*e the Lowercase bold Setter 
Yr' m .show a wo ret . O 

Block * tj> 

AES encrypts and decrypt* data blocks. A black in AES is a JffG^ of 128 bits. How- 
ever, a block can be represented as a row matrix of 16 bytes. O 

AES uses sevem] rounds in which each round is made of several stag^pDaia block 
is transformed from one stage to another. Al the beginning and end oJ(T^6 cipher. 
AES uses the term titita block: before and after each stage, the data h Sock preferred 
to as a state, We use an uppercase bold letter to refer to a state. Although trie stales 
in different stages are normally called S* we occasionally use the letter T to refer Lw 
a temporary state. States, like blocks, are made of 16 bytes s but normally are treated 
as matrices of 4 x 4 bytes. In this $ase K each element of a state is referred to as s rfh 
where r (H to 3) defines the row and the c (0 to 3) defines the column. Occasionally, 
a state is treated as a row matrix (1 x 4) of words. This makes sense. If we think of a 
word as a column matrix. At the beginning of the cipher, bytes in a data block are 
inserted into a state column by .column, and in each column, from top to bottom, Al 
die end of the cipher, bytes in the state are extracted in the same way, as shown in 
Figure 7.3. 



- 



SECTION 7. 1 hWROD UCTtQflt 1 95 



Fjguru 7.3 Bfock-ltj-tfate and Miiie-io*bi&ek trtmsfontwtien 




'II 



h . 



& t mod <, r . ( A 



biock : 



T 

i _ " 




Insertion UTiqL 



! ir?. 



b 



ii 



S5 



Example 7.1 

Ut us see how * lfi-chnrswucr block ^fbc shown as a 4 x 4 n alri*. Assume Ibat the text block is 
"AES ums a malrsx". Weaddtwa bogiuns&ardrtcrs at the end Eo gel "A 31SUSHS AM ATR1XZZ" 
Now wc replace each ch-amcrcr with aji Wegcr between 00 and 25. We then show MC h byte t$ an 
integer with two hexadecimal digits For^a^ple, ihc characicr "S" is hr*! changed to 13 and 
then written as lZ lfr m hexadecimal. The idfe matrix U then filled up, column by column, as 
shown in Figure 7 A 

a 



Figure 7.4 Changing ciphertiixt t& state 




-■^>«i^ . 



Hexadecimal 



00 W 12 14 U (W 12 00 0C 





11 23 19 19 



00 12 oc oel 

04 04 00 ZJ 

12 T2 13 10 

14 00 M 



Structure of Each Round 



& 7,5 shows the structure of each round at the encryption side. Bach round, except 
the last, uses four transformations that are iiiveriible, The last round has only three 
transformations. 

As Figure 7.5 shows, each fransforiitalion Lakes £i stale and creates another state so 
he used for the next transformation or the next round. The pre-round section uses only 
one transformation (AddRoundKey); the last round uses only three transformations 
{MixColumns transformation is missing). 



CHA HER 7 AD VAN&R EWCR YPTION ST A NBA RD {A ES) 



Figure 7+5 Sinmhti^ ofe&ck routid at (he encfypliftri site 




I, Owe' AddltounLlKcy applied 
before (he fii ro'Liid- 

2r 'the rhirct iiALisfoiiiHsLiori a 
missing \a the Tasr round. 



At the decryption site, the inverse u^nsformauons are asedrfavSubByte, InvShiFtKowSt 
InvMi ^Columns, and AddRoundKey (this* one is self-invcVfrfm^, 

O 



1.2 TRANSFORMATIONS 



To provide security ALLS uses four types of transformations: substitution, permutation, 
mixing, and key-adding. We will discuss each here, Q\ 

Substitution v> 

^S s like DES, uses substitution, However, me mechanism is different. First, ihe sub- 
stitution is done for each byte. Second, only otic table is used for transformation of 
□very byte, which means that if two bytes arc the same, the transformation is also the 
same. Third, the transforation h defined by either a table lookup process or mathe- 
matical calculation in the GF(2*) field. AES uses two invertibte transformations. 



SttbBytes 

The first transformation, Subftytes, is used ftt the encryption site. To substitute a 
byte, we interpret the byte as two hexadecimal digits. The left digit defines the raw 



SECTION 12 TRANSFORMATIONS 197 



d the right digit defines the column of the substitution table. The two hexadecimal 
digits at the junction of the row and the column art the- new byte. Figure 7,6 shows 
l>l^le^. 

V. 



Sub&ytes tmn.tfunnatums 




In the Sub Byres transformation, Uje Mate is treated as a 4 * 4 matrix of bytes, 
Transform at ion is done one byte aP^iKimc, The contents of each byte is changed, 
but the arrangement of the bytes in the>iatrix remains the same. In the process, 
each byte is transformed independenYl^TheTe are sixteen distinct byte-to-bytc 
trans formations. 



The SubHytcs operation Involves 16 indc^^l 



*9 



nt byte-to-bytk' trausforitmUons. 



Table 7.1 shows die subs tit uticm table (S-IwjQqt SubBytes transformation. The 
transformation definitely provides confusion effect ^nV example, two bytes, 5A i6 and 
JB]^ which differ only in one bis (I he rightmost bit) arc transformed to BE^ and 39 (6l 
which differ in four bits. 





Je 7. 




kbytes ircirisfarTtiatiofi ttilrte 








o 














■■ 

j 


2 ■ 


3 


4 

i "J 


* 

. ■ 1 




/ 


jS 


9 . 


A i- 




c 






* 


< 


&3 


7C 




IB 


F3 


6B 


6F 




30 


01 


G7 


2B 


FE 


D7 


AB 




i 


CA 


62 


C9 


7D 


FA 


59 


4 7 | 


FO 


ad 


D4 


A3 


A.F 


yc 


A4 


72 


co 






FD 


93 


2e" 




3F 


F7 


CO 


34 


Ab- 


E5 


Fl 


71 


^3 


31 


15 


1 


04 


C7 




C3 


ia 


96 


0.5r 


9A 


07 


13 


EQ 


E2 


EH 


27 


B2 


75 


4 

■ ■ 






2n 


1A 


IB 


6E 


SA 


AO 


52 


3B 


D6 


B3 


59 


IS 3 


2F 


B4 




53 


bi 


00 


ED 


^0 




Bl 


bB 


6A 


CR 


BE 


39 


4 A 


4C 


58 


fZF 


6 


DO 


EF 


AA 


FE 


43 


ip 


33 


85 


45 


F9 




7F 


50 


3C 


9F 


AB 



ENCRYPTION STANDARD (AES) 



Table 7.1 SubByWs traiLsformattOft lubk- fconSinued't 





0 


I 


• 

2 




■ 4 






7 


3 




A 


- ■ 


c 


D 


; 




7 


51 


A3 


40 




92 


9D 


3R 


v% 


BC 


B6 


DA 


21 


10 


FF 


F3 




£ 


CD 


OC 


13 


EfCY 
V 


\5f 


97 


■1 ■■. 


IV 


C4 


A7 


7£ 


3D 


64 




$B 


7 1 


9 


6Q 


SI 


4P 


DC 




2A 


90 




46 


i EE 


ES 


14 j 


DE 


■ ■ ■ 


OB 


DB 


A 


E0 


22 


3A 


OA 






24 


5C 




B3 


AC 




91 
J _L 


_■ _ j 


E4 


7 9 


B 


i . i 


f'R 




fin 


C3 J-r 




f M Hi 


An 


o k_ 


3D 


r 1 


rLjn. 


b : 




& Vr 




c 


Dk 


78 


25 


2E 


1C 


-S^J 


Ed 


CG i 


E& 


DD 


74 


IF 


4B 


BD 




8A 


D 


70 


3E 


3B 


66 


43 


03\ 






61 


35 


57 


B<3 


36 


CI 


iu 




E 


El 


pa 




L 1 


69 


Dy 




94 


9B 


is 


37 




CE 


55 


2a 


df 


F 


BC 


Al 


si? 


Od 


BF 






^63 


41 


99 


2D 


Of 


BO 


54 


P v 


IS 



InvSubBytes y>* 

InvSuhliytcs is the inverse iyt Sub Bytes, Tlt^^Tiaoiifonikation i& done using 
We can easily check that the two 1xariHforniatici(Jyu^ inverse of each other. 

Tabic 7i2 InvSiibByfL'X iranxfammdon table- /r\ 



Table 7.2. 





0 


1 


2 




4 


5 


5 


7 


$ 




A 


s 


C 


£> 


i. - i ,i 


. J.IJ 


0 


5^ 






D5 


3Q 


3^ 




38 


BF 


4Qv^ 




9E 


91 


F3 


D7 


FB 


J , 


7C 


e:^ 


iS 


: :: ■'■ 


9E 


2F 


FF 


37 


34 


0E 




44 


C4 


DE 




CB 


2 


54 


7E 


94 


^2 


A6 


C2 


23 


3D 




4C 




)0B 


42 


FA 




4E 


3 


oa 




Al 




28 


D9 


24 


B2 


76 


5B 


A2 
V 




6D 


flB 


DI 


3S 


4 


72 




F6 


G4 


a& 


SB 




16 


D4 


A4 


fiC 




. 5D 






92 




6C 


V() 


4B 


50 


FD 


ED 


B9 


DA 


! ^ E 


15 


46 






fin 


9D 


a4 




90 




AB 


0 0 


sc 


BC 


X>3 


OA 


F7 1 


E4 


53 


05 1 




B3 


4b 


06 


7 


DO 


2C 


IE 


BF 


CA ' 


3F 


OF 




CI 


AF 


BD 


D3 


o< 




a a 


6B 


8 


3A 


91 


11 


41 


4F 


67 


DC 


EA 


97 


F^ 


CF 


CE 


FO 


•B4 


EE 


V3 




| 96" 


AC 


74 


22 


E7 


AD 


35 


B5 


I-.;: 


F9 


37 


E8 


1C 




' DF 


6E 


A 


47 


Fl 


1A 


71 


ID 


29 




05) 


6F 


B7 


62 


0E 


AA 


ia( 




IB 




FC 


55 


3E 


■IE 


CG 


D2 


79 


20 




DP 


CO 


FE 


76 


CD 




F4 


C 


IF 


DD 


A>: 


33 


Sti 


07 


C7 


31 


Bl 


12 


10 


59 


27 


30 




5F 


D 


&o 


51 


7F 


A9 


19 


B5 


4A 


OD 


2D 


E5 


7A 


9F 


33 


C9 


9C 


EE 


E 


AO 


E0 


3B 


4D 


■M- 


2A 


' F5 


BO 


C8 


EB 


BB 


3C 


S3 


53 


?s 


61 


F 


17 


2E 


04 

i 


7E 


BA 


77 


D6 


2 Ha 


El 




14 


63 


55 


21 


OC 


70 



Example 7 + 2 

Figure 7.7 shows how a state is transfonned usicvg [he SubBytes IranEfoimatioi). The figure also 
sliows ihat ^he TnvSubByte^ transformation creates the ori^jnal one. Note that if ihe (wo bvtcs 



% 



SEC27QN 7,2 TRANSFORM A TfQWS 199 



buvc the same valuer [heir transforms rion is also the sanies. Far example, the two bytes (M^ 
• and (>4|^ in The left state are Uitnstonneu 1 to and VZ-\( f in the right slate and vice versa„Ttocs 
cm es I hat every hyte uses ihe same table, In contrast, we saw thai DES (Chapter 6) uses eight 




7 SubByies trattsfotmaifan for Example ? 2 



5p 









I — 




1 



State 



12 



1! 



19 
19 



«i3 
1=2 

FA 



C9 
63 



EE 

"53 
7D 
JS2 



30 
26 

m 

P4 




TniTuformatifw Using the %&J2 8 } Field 

Although we can use Table. 7>l at Table 7.2 to find the substitution for each byte, AES 
ateo de tines the transformation Ugcbraically using the GF(2 S ) field with the irreducible 
polynomials (x & + / + x*+ x+ l)#as s|iown in Figure 7,£. 

The Sub Bytes transforniaiiu nrfSpeats a routine, called subhyte, sixteen times. 
The fnvSubliytes repeats a routine <^i£d imuj^fcyte- Each iteration transforms one 
byte, 

In the suhbyte. routine, the mutliplWniive inverse of the byte (as an 8- bit binary 
string) is found in GF(2*) with the irredi^We polynomial + x A + jrV * + ] ) as (he 
modulus. Note that if the byte is (XI t6 , itstrftersc is itself. The inverted byte is then 
interpreted as a. column matrix with theleasl^^ifieant hii ai the top and the most sig- 
nificant bit at the bottom. This column matrix is multiplied by a constant square matrix, 
.X, and the result, which is a column matrix, is afep^wiih a constant column matrix, y, 
to give the new byte. Noel- \\m multiplication. anoKatldilion of bits are done in GF[2K 
The invsuhhyle is doing the same tiling in reverse enter. 

Alter finding the rim Implicative inverse of the b^e>the process is similar to the 
affine ciphers we discussed in Chapter 3. In the encryp^fo)], multiplication is first and 
addition is second' in the decryption, subtraction (additioi*^ inverse) is first and divi- 
sion {multiplication by inverse) is second. We can easily prctfe dtat the two transf or ma- 
dons are inverses of each other because addition or subtraction in GF(2) is actually die 
XOR operation. 



iriVSUl 



L 



The SwbGytes and rnvSiibRyteslnmsfornLations are inverses of each ftihtT. 



HAFTFR 7 A fWA NC&gg-NCRYFTIQN STANDARD (AES) 



4. 



Figure 7.8- Subiftte.i and InuSubBytes p/oceitwi 

— & 



Rupert bubbyle 
lti time 1 ; 





State 



- i. 



C 

L 



0 o n ;i i. i -i 

1 0 0 '0 I I j 



1 j (I {) 0 I ] 

1 ] 10 0 0 1 

I 1 ? I 0 M 

1 ] I L 0 0 

43 o. 1 i i rl ^ 
0 o o l i i i oj 



b 













I 1 




Si 




t 












1 




*4 


+ 


■fl 
a 










i 






C * 




j 






1% 







subbyte 





7=r 







0 {i 


I 0 


u 




0 


l n 












0 J 




& 


1- 


0 




c, 






0 ■ t 




] 


0 




I 






1 


it 




0 I 


t> 


3 

& 


1 


■fl 

. ■ 


X 


cj 










L 


U. 


Li 










l 0 


■0 L 




J- 




0 




% 


V LB 




D 1 


0 0 


r 


: 0 


J 


0 




9* 



ft 


J 1 






* 1 




















:o 


■ 




t . 




I 




& 








0 



Repeat rjiv.Tui^^' 
L 6 times 



SubBy!eis 




!]]VSubB>[i;S 



e 




Example 73 

Let lis show how the byte OC fa Jmnsfonti&d to FE by routine and trans formed back iu (K7 

by the in.v$fihhyte routine. 

a. The multiplicative inverse of (K7 in GFfS 8 ) field is BO, which means | if ( 1 iH 1 (XXX)). 

b- Multiplying matrix X by this matrix results in c = (10011 101 ) 

c. The result af XOR opens ion is d = (1 11 1 1 110), which is FE in liux^IctirnnJ. 



SECTION 7. 2 TRANS FORM A TIQNS 



203 



2. invsubhyig: 
• a, The result of XOK opeiaii on is c = { 1 00 1 II 0 1 ) 
^J\b. The result of multiplying by irtairix ST 1 is (1101 0000) or B0 
'iTie multiplicative inverse of BO is 0C. 

AlthoujfrGNe have shown matrices to emphasize [he nature of sub stitu Lion (affine 
Erans format^), the algorithm does not necessarily use multiplication and addition of 
matrices bcsAajse most of the elements in the constant square matrix ate only 0 or 1. 
The value gff^e constant column matrix is 0x63. We can write a simple algorithm to 
do the SubBytis^Algorithm 7.1 calls the subbyte routine 16 time, one for each byte 
in the state. >s\ 

Algorithm 7. 1 Pseiuk&nrit for SubByics trvmsformtnian 



for (r - 0 to 3) 
for (c = D io 3} 



5^ = subbyte (S n c ) 



\ 



subbyte fbytc) 

'f ■ 




■ ■ • ■ • : - 



•I 




i.titi 



M;urixroByle(d;d} ; 

iiifcff"' 




.mfflj'fnwrae 6f 001b be 00 



. ^ 

Pi 






% 

The ByleToMatrix routine transforms a byte to an 1 column matrix. The 
MatrixToBylc routine transforms an S x I column matrix Co a byte. The expansion of 
these routine* and the algorithm For InvSuhRytcs arc ici't as exercises. 



NanHnmrity 

Ahhougli the multiplication and addition of matrices in the subbyte routine arc 
an af fine- type transformation and linear, the replacement of the byte by its multipli- 
cative inverse in GF(2*) is nonlinear, This step makes the whole transformation 
nonlinear. 



IA PTER. ? AD VA ffO&ENCtt YPTIQN STANDARD (AE$) 

Ptrmutation # 

Another ii^sfomial^jputtd in a round is sliifling, which permutes the bytes. Uidike 
DES> in which permud^ort is done at the bit level, shifting iransfonnation in AHS ts 
done at the byte level; Sorrier of the bits in the byte is not changed. 

In the encryption, the t rains iWiati on is caJled SlrifLRnws and the shifting is to the 
ieit.The number of shifts de^Jjds on the row n timber (0, I, % or 3) of the state 
matrix. This means the row 0 l^ot shifted at all and the last ro* is shifted three 
bytes. Figure 7.9 shows the shifti ^transformation. 



Figure 7.9 Sh ifitiow.t r ransfvmuilioj\ 





Row 0: tic* _<h i a V 
Row 3: Kbyte sfciil^ 
Row 2: 2 -byte shift 
Row 3: ?-by(e shift • 




Note that the ShittRows tmns formation operates one row attune r 

O. 



InvShiftRowa 



In the decryption, Lhe transformation is called Inv&hiltRnws and the sifting is to the 
l ight The number of shifts is the same as the row number (0, L, 2, arm 3) of the state 
matrix. • 

. O 

TheShiftRuifrs and ImShiftRows transformations art inverts sjfeach otiu^ 



Algorithm 

Algorithm 7.2 for Shit tRows transformation is very simple. However, to emphasize that 
the transformation is one row at a tittle, we use a routine called shiftmw that shifts die 
byte in a single row. We call this routine three times. The shiftrow routine first copies 
the row into a temporary row matrix, L It then shifts the row. 

Example 7.4 

Figure 1AQ shows how a is transformed using ShiftRows trwistorniatiun. The figure also 
Shows that InvSEijfiRuro transformation creates the anginal-stale. 



\ 



SECTION 7.2 TRANSFORMATIONS 303 



Alg«ri thni 7.2 PsMdncvtte for ShifiRow* transforms 



SfeiflRnwsfS) 

v T^R(r = 1 id 3} 



i 



Ehiftrow fyw; ft) r-«N 

[ <S>. 

■ CopyRow^pyk () 



# w menbxr uf bytes tr> be shifted 



/ft if a temp&sary row 




•-o> ~ 



— ii. 



Figure 7J0 



rmniicm m Example 7.4 



J 




6? 



£2 

7D 



63 



S Laic 



FE 

26 




J 



Mixing ^ 

The substitution provided by the SubByles tnmsfqfihation changes the value of the byte 
based only ot) original value and an entry in ihe taofelho process does not include $e 
neighboring bytes. Wc can say thai SubBytes is an MUabyte transformation. The permu- 
tation provided by tlie ShiftRows transformation expanses bytes without permuting 
the bits inside the bytes. We can say that SJuftRuws is ^fte-exchange transformation. 
Wc also need an interbyte transformation that changes (hel^ls inside a byte, based on 
the bits inside the neighboring bytes. We need to mix bytes^Lprovide diffusion at Hie 
bit level. S 

The mixing tra ns forma ti on changes the contents of each byte by talcing four 
byte* at a time and combining them to recreate four new bytes, Tb guarantee tliat 
each new byte is different (even if all four bytes arc the- same), the combination 
process first multiplies each byte with a different cons [am and then mixes them. 
Thy mixing can be provided by matrix multiplication. As we discussed in Chapter 2, 
when we multiply a square matrix by a column matrix, the result is □ new column 
matrix. Each element in the new matrix defends on a|] four elements cif the old 
matrix after they are multiplied by row values in die constant matrix. Figure: 7.11 
shows the idea. « 



t! AFTER 7 A D VANC^^CR YFTION STANDARD IAES) 



Figure 7 ,11 Mixut^ ipte.T using 



tctltwn 




f 

ji 



s 



■wat+ny + ei + pl 



-V: 



4 



7 
t 

Old matrix 



is 



AES define* a transformation, effcd MixColurnns, to achieve this guah ' 
an inverse transformation, cdledNRr^ixColiiTiins. figure 7.12 shows the ciKisstaiil 
matrices used these ffivttfonnationMlK^ two matrices are inverses of each other 
when the elements are interpreted as S-b^words (or polynomial*) with coefficients in 
GF{2^. The proof is left as an exercise. 



Figure 7,12 Constant mat rices used by MitColun\n^^ 



InvMixCoiumnS 



m 


03 


01 


of 








Jffl 0D 


09" 


01 




03 


bi 




1 nvcra 




OB 


0D ; 


OS 
03 


oi 
oi 


02 
01 


TO 






OD 
OB 


OB 

OE 



v6 



MixCohtmns 



o 



The MLxC^Iurnns transformation operates at the column level; it tr^n^rms each column 
of the state lo o new column. The iram formation is actually the matrix qpuMplieation of a 
state column by a constant square matrix. The bytes in the State raluir^njnd constants 
matrix arc interpreted as 8-bit words (or polynomials} \vilh coefficients frpF(2)< Multi- 
plication of bytes is done w GF(2*) with modulus (1000J 101) or (x + * V^U x + I). 
Addition is the same as XORing of 8-bit words, Figure 7.13 shows the 
u Ci j: s f o=rr:: 51 i c h i-s . 



\5hllllBlS 



fnvMixCotumns 

The InvMixCoIumna transformation is basically the same as the MixColumns trans- 
formation. If the two constant matrices are iflgraws of each other, it is easy to prove that 
die two transformations are inverses of eacrf other. 



The Mi** Columns anil IntMixColurctTiK LrtmsfonnalSons are inverses of each flt&eiv. 



SECTION 7.2 TRANSFORATIONS 205 



I4? gil re 7. 13 Af ixCo iumns traiufiiTmniioT) 






Statr 



Algorithm ^ 

Algorithm 7.3 shows the coc^for Mi ^Columns transformation 

Algorithm 73 P. Jfr/p w pEp Co t Km n .t / riiivifti mm Hon. 



MixCokuiiiLs (S) 

I 



! 



far (c = 0 to 3} 
mixcolumn {s c } 



TiilxcoJu.mii (col) 

CopvCrtlbiTiTi {ci>! h t} 



o 

W:^ff.^^iQu 

!f -■ ■ ■ 'r 



coli*-tg 0 (0x02) ■ ^ * (0x03) © t 3 
ooll*- t 0 © tjffi (uxflG)*^ © (0x03) *t 3 . • 



i 



ml j *- (0x()3 * tg) ©" ij ■ © Q& (0*02) • t 3 

■ : ,»■;:•■■ *r>j- - 'fjr* ;. ; >i fit ■ i 




Algorithms for MsxColumns arid InvMixColurnns involve multiplication and addi- 
tion Sn the GF(? a ) field. As we saw in Chapter 4, there is a simple and efficient algorithm 
for multiplication and addition in this field. However, to show the nature of die algorithm 
(transformation of d column at a time), we use a routine, called mixcnlitmn, to be called 
four limes by the algorithm. The routine rnixcotumn. simply multiplied the rows of the 
constant matrix by a column in the state. In the above algorithm, the operator (*) used 
m the niixeolumn routine is multiplication m the GF(2 S ) field. It can be replaced with 
a simple routine as discussed in Chapter 4, The cbdc for InvMixColumos is left as an 
exercise. 



QHA PTER 7 A D VAN{4m F.NCR YPTION STA NDA RD (AFSj 
Example 7.5 • 

^staLc is transformed using the MixCohimns transformation. The figure 
ahto shows that tTre InvfrnsColimms transfortnarioii creates the original one. 

-= ¥x 

Figure 7+14 The MixCot^mns tnmsfcrmatiDn in Example 7.5 

$rr 



ftt c^3 \-n :m 

F2 63 26 V2 
7D P4 C9 C9 
Dfl FA m S3, 

t 



MixCOilunnn 



i 



03 27 26 

CF 92 *L OD 

CC OC F4 

39' !$ 30 74 



Note thai equal bytes in the oid state arc notCjq&al any men; in the new slate. For example, 
(he. two bytes F2 in the second row are changed to- C^SiuS t}D. 

® 

Key Adding # 

Probably the most important transformation is the one i^^i ncludes the cipher key. All pre- 
vious transformations use known algorithms thai arc ui^rublc. li" the cipher key is not 
added to the stare at each round, it is very easy for the adveipsw to find the plaintext, given 
the ciphertext Hie cipher key is the only secret between A iife&and Bob in tliis ease. 

AES uses a process called key expansion {discussed hueriri the Chapter) that cre- 
ates N r +1 round keys from the cipher key. Each round fcjpfs 12S bits long — it is 
treated as four 32-bit words. For the purpose of adding the keycT^j) 16 state, each word is 
COi lS ide red si a Co) u inn main x . ^\ 

AddRoundKey x 



AddRoundKey also proceeds one column at a time. It is similar to MistCSeliimnsi in this 
respceL MixColurnns multiplies a constant square matrix by eachSpie- column; 
AddRoundKey adds a round key word with each state column matrix. nse>j^ration in 
MixCotuinns is matrix, multiplication; the opera Lion in AddRoundKey is rfiroix addi- 
tion. Since addition and subtraction in this field arc the same, the AddRoundKey trans- 
formation is the inverse of itself. Figure 7. 1 5 shows the AddRoundKey transformation. 



The AddRoujidKtv transformation is the inverse of iistlf. 



Algorithm 

The AddRoundKey trjinsformation can be thought as XORing^of each column of the 
state-, with Lhe corresponding key word. We will discuss how the cipher key is expanded 



SECTION ?. 3 KEY EXPANSION 107 



Figure 7*15 ArfdftouTidKxv transformation 




Key word 




Stale 



feata a «pt of key words, but hjrHiic momcrit we can deli lie this transformation as shown 
in Algorithm 7.4, Note thatX^a^rd w n?und+4c are 4 x 1 column maoices, 

Algori Lhm 7*4 Pseudocoife for ^e&RfmndKey transformation 



Add R»u ndKfj (S) 

( 

for {c = Q lo 3) 




7.3 KEY EXPANSION 



We need to remember, hnwever; their the ^operator here means XORing two col- 
umn matrices, each of 4 bytes. Wilting a stm^riWinc to do that is left as an exercise, 

v£ 

create round key for each round, AES uses a kcy-expiinsion process. If the number 
of rounds is N n the fcey-cspaiisiofl routine creates N r + 1 ^2J-brt rotuid keys, from one 
single 128-bil cipher key. The first round key is used, for pe-round transformation 
(AddRoundKcy); the remaining round keys are used forjW last transform a Cion 
( AddRoundKey) at die end of each round, 

The key-expansion routine creates round keys word by word, where a word is fin 
array of four bytes. The routine creates 4 x (N r +1} words that are called 



■ 





" 1 mZ* U ll 4 1 


JL - 






i uf, " xH TCJB r Tr " 

r £J < ■ Ii | — 1 1 rX | - 1 X 




■It "^J^Jif 






■ 




-I-15-E 

i S i J . i - i i ■ i 









In other words, in the AES* 1 28 version (10 rounds), there iuc 44 words; in the AES- 
192 version (12 rounds), there are 52 words; and in the AES-256 version (with 14 
rounds) h there arc 60 words. Each round key is made of lour words. .Table 7-3 shows the 
relationship between rounds find words. 



CHAPTER 7 AD 




CEO ENCRYPTION STANDARD (AES) 
Table 7.3 Wonts for each mand 



re ^ round 



w 4 




^2 



Wi 



*7 



*4frV W d/Y r +I w 4rt r +-2 



Key Expansion in AES^lR 

Let us show the creation of wc^cfe for the AES - ! 28 version; the processes for the other 
two versions are the same v/\1hmmt slight changes, Figure 7.16 shows how 44 wards 
jjre made from the original key. 



Figure 7.16 Key expan.tioit in AES V*" 

<5 



Cipher hey 




1, 




t 3 














" Pill 




■ ■ 


kn 




1 


_l 


1 








J 


1 1 





8 
















t 


*9 ' 








^ 
















1 








p 



11 




r 
•e- 



J 



5U 



H RntWnrri 




VfjLk i tip nf I,. < temporary) ■vmrtls i-4Nf. 



The process is as follows: 

I P The first four words (w fll w 1 F w 2l Wj) are made from the cipher key. The cipher key 
is thought of as m array of 16 bytes (k^ to k 15 ), The first four bytes fko to k-,) 
become the nc*t four bytes to k^) become w s l and so on. In other words, 
the concatenation of the words in this group replicates the cipher key. 

2. The rest of the words. (w i for i - 4 to 43) are made as follows: 

n. If (z mod 4) g 0, = ffi w M , Relerririg to Figure 7T6 P this means each 
word is made from the one at. the left arid the one at the top. 



SECTION 7 J KEY EXPANSION 1W 



If (i mod 4) = O h iyj = 1 ^ w^. Here t, a temporary word, is the result of apply- 
% ing two routines, SubWurd and RotWord, on w M and XGRing the result with 
round ton slams , RCon. In other words, we have, 

o 

Ativan/ ^0 

The Rot Word (mspte word) routine is similar to the ShifiRuws transformation, bin it is 
applied to only dnp*row. The rout me takes a word as an array of four bytes and shifts 
c^h byte Lo ihe left^tji wrapping, 

SuhWnrd v£) 

The Sub Word (subslinil^Vord) routine is similar to the SubUyEes □nosform alien p but 
it is applied only to four bj£t£s P The routine Lakes each byte in the word and 'substitutes 
another byte for it. *> # 

Bach round constant. RCon. is a > C*^te value in which the rightmost three bytes aie 
always zero. Table 7.4 show.? the vMt|^ for AE5-I2S version (with 10 rounds). 

Table 7,4 RCon carmttntx 



Round Constants 



Round 


Constant \J 

<RCony m 






1 




o 


(20 00 GO 0Q) 16 


2 






(M 00 (K) (X)} 16 


3 


tMooaooo> l6 




^0OQOOG) Lfi 


4 






JtJJJ 00 M 


5 




ID 


(^_^00 00) Sfi 



The key-expansion routine can cither use the abovf table when eaiculating the 
words or use the GF{2 S ) field to calculate the leftmost byt^ dynamically^ as shown 
below {prime is fhe irreducible polynomial): 



KC 



—J 



J- J 



_ J 



. mod primg 



^ J 




-i 



mod prim* 

mod f?™t£ 



^OOUQOOIQ 



04 



x mod prime ^ 



.4 



Ml* * 



-+* ] ^ ' mod 



Jl 



mcjd prim* 
mod prime 

mod ' -^h-^ -i-xh- I 



■ ■> OOGOIOOti 

-^oooloooq' 
-* wiooooo 

^01000000 

-+0O011U1I 

-*0OLMllQ 



->,10 36 
^80 i& 



C! iA PTES 7 AlfyjWCED ENCRYPTION STANDA RD (A ES} 

rho le&toosi byle, which is called RC- is actually aH; where / is round num- 
ber. AES mm the irreducible polynomial [J? + j 4 + jt* + jf + 1) 

Algorithm >0 

Algorithm 7.5 is a^^c algorithm for the key-expansion routine (version AES- 128). 
Al^or it hm 73 Pseudffifc for expansion in AES- 128 



for {f - 



(.r ^ 0 ro 3) 

for (j - 4 to 43) tft 
if tu nod 4 ;£ QJ w; <- w jV , + * 

] 



t <r- Sub Word (RotWoid 



//f i,v a temporary nwti 



Example 7 r 6 q 

T^tik 7.5 shows haw the keys for each round are caluuEatta a-^s^uig thai the 12S-bic cipher kev 
agreed upun by Alice Wd Bob & [24 75 A2 S3 34 75 56 U 3 L&n 00 13 AA 54 87) l6 

Tabic 7-5 A>y 




2 
3 
J 

J 

7 
L S 
9 

to 



AD301T7D 
47&678DB 
31DA4&D0 
4 7J1ESB7D 

52'C4FflOD 
E4 11 3 5^3 

BA5E4FGI 
3FC6CD99 



D1154F39& 



H^= &3B33EBG 



^32 = EE61ACUE 



►V^- E43FE3BF 



w jW ±±D&F52E2C 



- — 





wty5= BU20G34G 



h- ]3 = JJCFAAB96 



= EOSCflfiBE 



W33 = £AFEl.F4B 



H" ?7 = QEC1FCF4 



h^ = 8CC2F14 



w so = FFB1UP15 



734B74B3 



*l S - 471 :\ ; ,M- 



wjj- A / 1F371B 



W2 6 = C1030A3B 



9? 6 8 ASCI 



GQI197AD4 



H^ 9 = 5401UFFA 



F31E&BE1 



1*27= 321DA2D9 



w 3 ,=. F7813BT4 



wiH = 3Fti2A6iaG 



h« 4[ = D^3SD2D2 



^2 = F49B8BCD 



w AI = OD-DB4F40 



SECTION 7. 3 KEY EXPANSION 



211 



hi each ruLiniL, the cu1lliLs[luji til lIlc Ijesl Lhfcc word* int.- very simple, 3?Dr the calculation of 
li^T 1 1 r:-.^ wgrd we need lo first calculate she Value of temporary word ft), Fur exrimplo, ihe firsl t 
(foi^jiud 3 ) is cumulated as 

.. *? 

RGlVWa#3AA5467J * AA548713 — > Sub Word (AA548713) = AC201T7D 
t = AC?Jj£?7D © HCoiij = ACaC 17 7D <B 01 000000, b = AD2U177D 

Example 7 H 7 y^S 

Bach round key in i^Ef depends on (he previous round key. The dependency, however, is noiilm- 
ear because of SuhWejKlvtfansforntation. Tne addition of the round constants a3so guarantees that 
caeh round key will bc*tfi^(ercnl from the previous one. 

Example 7.8 

The two sers of round keys caiL+s!£c?eated front two cipher keys that are different onEv an one bit. 




Cipher Key 1 : 1? 45 3 1 A4 A3 B2 CC A& 34 C2 BB 77 23 

Cipher Key 2; 12 45 A2 JQ)b |l A4 A3 B2 CO Afi 34 C2 BB 77 23 



As Table 7,6 shows, there are SEgutf^ht differences between the two correspond- 
ing round keys (R. means roumi and B. A^aspans £>?r difference). 

Table 7.6 Comparing tw& 5^tl i]f njUnd fazys 



^6 



I 

I 
3 

3 

7 

9p 

10 



F9 BOB 4 34 
BSE4BD3:S 

aoea.fi la 

EB2999F3 

rs^y^Ejr; 

B25S3FD4 
U12FBZ2B 
95C9A43B 
33AD32fcB 



33 3 1 A -I A J B2CCA&3 <S 
DA3L2027 &B4DB£13 
63S5A&OP OES^fi^AlC 
C3EF5119 CSA7?fiOD 
U 1>F4 3 F FG 1553E4FF 
36D00&rj^ Z3BEE2FA 
n4532839 ^7Dc!f:AC3 
3G0D17EJU A1UHOU2!; 
ET72295C0 46F94BEE 
7fc£B31FB 33L2791G 
r-'5M6Q330 CS547A2G 



r:2b37723 
AAF6FD30 
AlOEDV^C 
6979AC25 
7C2A430A 

CB726QE3 
G9A9BDCD 
2F50F523 
1742BC35 
D2LGFG13 



L245Ad&J? 2331MA3 B2CCAJB3 4 

B9Q03D23 63S1AOQF QB£C2HlC 
3D0EF11A 9fe8£511i 554 3 7 AG 9 
B39BCEA3 DDV43-FBD S8&?£3&& 
AI-LCy IOBS vfdd/TfIbs F7Sa6ABL 
[ZB&AA7-BB 34 B 7 430042-31 
5BBA2iC0 ECnMD^pAF^B^FK: 

nB???uEr- R-. ,r -tv:4S'.:-!< smimm 

F27?4CF0 liEBD9F*J *i??W2C 
E33BDAB0 FE>DD 0 .1 4 H Af]Ayft0fc4 



CZSB772J 
AAFb"F£30 
A13AD72L' 
F479An>!^ 

BE3A-1222n 
C8A.9601I 
67AU2FCD 
2f3HFS1S 
7242F&3 5 
D2^nF^ L- 1 



E.D. 



01 

02 

17 

30 

31 

14 

5t\ 

50 

44 

5L 

•: 



Ex tin} pie 7,9 

The concept of weak keys, us we discussed for DBS in Chspter 6, does not apply to AES. Assume 
5 fiat all In!* hi the tzipher key aie ()s. lite following shows the words for some rounds; 



CHAPTER 7 A DVANQ&D ENCR Yl'TION STANDARD (AES) 

® - 



Pio -round: 
Round ti I ; 
Round pZ: 
Round ft^' 
. . ■ 

Round IDs 




QiJpO.QOOO 

■ - ^ 



opoooqoo 

- - - 




thv first round aie all the same. In iht: second round, the first 
oa^ wmxl matches with the fourth. However, afkr die second 



The words in die pre-roun 
ward maiehes with Lhe tnird; 
round iht pattern disappears: tver^ord is differenl 

Key Expansion in AES-192 a^aAES-256 

Key-expansion algorithms in the and AES-2S6 versions are very 

the key expansion algorithm in AE$-12&Atth the Mltiwing differences: 
I In AES-1^2. the words are generated i^joups of six instead of four. 

a. ( lie cipher key creuLes the fust six vra& (w 0 to 

b. If i mod 6 ^ 6, wj <- w^j + otherwise, w, ^ t + 
2 . In AES'256. the words are generated in groups of eight instead of tour, 



ar to 



. The cipher key creates the first eight words v f>tri to w-j), 

Weed 



b; It" i" mod 8 * U, Wj <- w M + w,_ 8 ; otherwiseSff<>- i + w,.*. 



t. If | mod 4 = 0, but (" mod % * 0, then w ; = SubWod (wm) + it t ^, 

t ft 

Key -Expansion Analysis 

The keynsxpansion mechanism in AES lias been designed > ?^vide several features 
that thwart the cryptanalyst. sK 

1 . Even if Eve knows only part of the cipher key or the values^r thu words in so cue 
round keys T she still needs to find, the rest of the cipher key beSwe she cm find all 
round keys. This is because of tlic aonlincarity produced by SubrWjrd trans forma- 
tion in Hie key -expansion process Q 

2. Two different cipher keys, no matter how similar to each other. prodiJMawo expan- 
sions that differ in at least a few rounds. < 

3. Each bit of the cipher key is diffused into several rounds. For example, changing a 
Single bit in the cipher key, will change some bits Sjd several rounds, 

4 The use of the constants, the RCons. removes any symmetry that may have been 
created by the other transformations. 

5. There are no serious wotk keys hi AES, unlike in DES. 

6. The key -expansion process can be easily implemented on all platforms. 

7. The keynixpansiou routine can he implemented wdhoiit storing a single table; all 
ealculntions can be done using the GF(2 S ) and FG(2) fields. 



% 



SECTION 7.4 CIPHERS 213 



.7.4 CIPHERS 

^vjet us see how AES uses four types of transformations for encryption and decrypt 
iiftfprn [he standard, the encryption algorithm is referred to as ihtf cipher and the 
decf^gjion algorithm as the inverse cipher, 

je mentioned before, AES b j non-Feistel cipher. which means thai each Lmns- 
fomiatifortr group of transform aLions must be invcrtiblc. Tn addition, the cipher and 
the jiiY-Gt^^iphcr mu^t use. these operations in such a way that canceS each other. The 
round kcyrfspnjst also t>e used. In the reverse- order. Two different design-s are given to he 
used for difl^nl implementation. We discuss both designs for AES- 128; the designs 
for other vers L^ni are she same. 

Original Desigt))> 

Tn the original designee order of transformations in each round is'nol the same in the 
cipher and reverse ciptfit^ Figure 7.17 shows this version. 

<L 

Figure 7.17 Cipher and inv&rjp^pher of the. original duxign 



Cipher key 

I 



:-t 
LJ 



I 

*■ . 



■ 



. 1* 

■ 




PlaLn.i<snl 



t 



LnvShiflRowh 



Cipher 

I 



i 

a 



In\ Mi.^Cofaisi.i- 



err 



a; 



+ y 

y 

+ 

-> 

4 

Cip3ic.rtc.JU 



T 




I iLvShcnKtyw^- 




LjJ 

id 



First, the order of Sub Bytes and Shi ft Rows is changed in the reverse cipher. 
Second, the order of MixColurnns and AddRoundKey is changed in the reverse 
cipher. I his difference in ordering is needed to make each transformation in the 



•HAPTER7 ADVAN\ 




ENCRYPTION STANDARD {AES} 

cipher ELLignecrwilh its inverse in the reverse cipher, Consequently, the decryption 
algorithm as a tiftiole is the inverse of the encryption algorithm, We have shown only 
Jhree rounds, but itijVe^t is the same r Note that the round keys are used in the reverse 
order. Note that lhe y £pfcrypLion' and decryption algorithms in the origin a] design are 

Algorithm (S^ 

The code for the AES-128 vd^on of this design is shown in Algorithm 7.6. Tte code 
for die inverse cipher is left as tfff^xercise. 

Y' 

Algorkh m 7,6 Pseudocode fo r wpkatfa she original design 



Cipher (InBiock [16], UutBluvk[I6] p wtflcy 41 1) 



BLockTnSt^anBEock, S) 



S AddReundKey (S, 
for (round = 1 to 10} 
{ 

S $- SubBytes (S> 
S<- Shi ([Raws (S) 
if (round * 10) S *- MsxColunm* 



:> '-(5 

S <t— AtWRoundKcy (S, w[4 X murtd n 4 x round i- IW^S 



StateToHtwk {S.OmBfock}; 



1 



Alternative Design 



o 

o 



For those applications that preler similar algorithms for encryption and decryption, a 
different inverse cipher was developed. Tn this version, the rraasforniatjons In the 
reverse cipher are rearranged to make the order of transformations the same in the 
cipher and reverse cipher. In this design, invert ibility is provided for a pair qfi^ansfbr- 
mations, nut for each single bnansibnviatiou. 




SubByte$/ShifiR&W£ Pairs 

SubBy tes change the contents of each byte without changing the order of the bytes in 
the slate; Shi ft Rows change the order of the bytes in the state without changing the con- 
tents of the bytes. Tliis implies, that we can change the order of these two transforma- 
Lions in the inverse cipher without affecting the invertibility of the whole algorithm. 
Figure 7, IS shows the idea. Note that the combinalion of two trans formations in the 
cipher and inverse cipher are the inverses of each other. 



SKCrUhV 7. 4 CIPHERS 2 1 5 



V \g n rc 7. 1 8 fnvenibitiiy of SubByies and Sh ifiHxj n-& x.omhinniians 



■ -i ■ m ^ i 



1 



1 



2 



ShiFtRows 



TflVfTS 



Inv'SubBytes 



"f 



Here the two Solved transformations arc of different nature. However,, the pairs can 
become iiiversesrj&cach oiher if we multiply the key matrix by the inverse of the con- 
stant nmrix^scd^MixColumns transformation, We call the new transformation 
InvAddRoundKeyv^jgtire 7. J 9 shows the new configuration. 



Figure 7* 19 Inv£nibiliiym^fixColu/fvis and AddKoundKty wrnhinniions 

: 

* CO t 

J — — Tr-r-w-Tm^m m m. » j p ■ ■ .m. j. ^ _ 



Round key 




Round key 



iuvMUCutumns 



It can be proved that the two coinbtn^f^is arc now inverses of each other. In the 
cipher we call the input state to the combination £ and the output state T. In the reverse 
cipher the input state to the combination is T, rfiprfollowing shows that (he output .state 
i.s also S. Note Ihm tin: MixCoiumns transformation Eietuaily multiplication of the 
C matrix (constant matrix by the state). • 

O 

Cipher; I = © K Q 

Inverse Cipher: CiT a"CT ] K = C~ L (CS fflK)ffl cr [ K \^rr l QS ® CT 3 K © CT J K= S 

Now wc can show the cipher and inverse cipher for the alternate design. Note that 
we still need to use two AddRoundKey transformations in [he decryption, Tn other 
words, we have nine In v AddRoundKey and two AddRoundKey transformations as 
shown in Figure 7.20. 

Changing Key-Expamion Aigorhhrn 

Instead of using InvRoundKey transformation in the reverse cipher, the key-expansion 
algorithm can be changed to create a different set of round keys for the inverse cipher. 




SP? KFTVttY STANDARD 



Figure 7.20 Cipher itnd reverse cipher in alternate design 

— & 



PtuiriLeal 



Cipher key 




However, nolc thai the round key for the pre-nound operation anjHJie round should 
not be changed. "The round key s for rounds I to 9 need to he Tnw&plk:d by die constant 
matrix. This- algorithm is left as an exert tse. . 

O 

^ 

7.5 EXAMPLES v 

In this section, some examples of eiscryption/dceryption and key generational given 
to emphasis -some points discussed in the two previous sections. (^) 

Example 7 AO r 

The following shows the ciphericxi block created from a plaintext block using a randomly 
selected cipher key. 



Ptafnl 



- 



. 0 0 # 4 : 12 i :\± J& ■. Q 4; .12: :-0 {?• oc :Qftf£& 



Ciphfir.Key: 2-S 7 5: A2 33 3-1 7 5 ■BC.Qb .- :. 



Cipher-text: EC 02 £?E' ^^ifi^g^ 9. L J v £&>" [)D^.'6.p iS p^^":Fl. ■ 




Table 7-"? shows the uahjes of stare maffick arid umnrt key!; tor this example. 



- 



SECTION 73 EXAMPLES 217 



T^ble 7.7 Luitnpfc uf cfrcryptitm 



2 



Round 



i 



I'm-reiiind 



8 



^ 6C 4 4 13 BD 

^$1 3E~46 35 

£>*B5 F3 02 

5 Ej^7 FC 8C 



OC 12 OC 

04 04 OD 23 

12 12 13 19 

14 00 11 19 



24 26 3D IB 



71 "I £2 89 



30 44 01 
AT SB 11 9£ 



l.A 
66 



frtLlh B£ 
OV^D FC 



20 55 " 
2B CB 




B2 

3C 



3~ v ^fl^ | 



Ouipur State 



R&tfti& Key 



?A 26 3D IB 
71 71 E2 69 
BO 44 01 4D 
A7 83 11 9E 



GC 4 4 13 ED 

Bl 9E 46 35 

C5 BS F3 02 

5P 87 FC t:C 



1A 90 15 B2 

65 09 ID FC 

2 0 5 5 5 A B2 

2B CB 3C 3C 



F£ 7D A2 30 
IB 61 B4 BB 
67 D9 C9 45 
4A 5C 51 09 



24 34 31 13 . 
7 5 AA 

A2_ 56 12 54 

B3 BB 00' 87 







89 BD 9C 9F 

. * ... ■ . i 

55 20 C2 63 
05 F.3 Fl.AS, 
CE 46: 4 6 CI 



CE" 73 FF. 

53 73 Bl 

CD ?.E TjF 

15 53 15 



60 
D4 



FF &C 7 3 



89 FA 4B 

■eS.ftB 74 
C5 35 83 



13 
92 

OE 
57 



F6 7D A3 
IB 6.1 B4 

O 



67 09 C9 45 X 



4 A SC 5-1 09 



CA E5 4 S BB 

D8 42 AF 71 

Dl BA 98 ?,D 

iE 60 9£ DF 



90 35 13 60 
2C FS 9?. 3 A 
9E PC 61 EE 
49 39 CB 47 



18 OA B9 B5 
64 68 6A FB 
5A EF D7 79 
8E B-2 10 4D 



CA 
Dl 



48 BB 
42 AF 71 
BA 9 8 2D 
60 9E DF 




9E 
49 



35 13 60 
B 82 3A 
61 ED 
>>CB 47 



34 47 54 
22 D8 9 : 3 01 
DE 75 01 DF 
B3 2'E AD FA 




ia 

64 
5A 




OA B9 B5 

68 6flr>FB 
EF " 

B2 10 




01 63 Fl 96 

55 24 3A 62 

F4 a A DE 4D 

CO BA 88 03 



01 63 Fl 96 

5 5 24 3A 62 

F4 3A DE 4D 

CC BA 88 0 3 



2A 34 D8 46 
2D 6B A2 DG 
51 6 4 CP 5 A 
87 A8 F8 28 



D4 EO 

i r ' m 'fm_ .V 1 1 V \ 

54 8C 
F3 86 
M B6 



A7 F3 
IF IE 

87 sa 

IB El 



3 6 G£ 

y'o 1C 

OB BP 

?5 23 



CI 32 

03 ID 

OA 82 

3 a D9 



^ 04 
E3'3 9F 
SE.B3 
B6..95 



C5 F7 
9C 8! 
B9 3B 
AD 74 



EE EA 2F D8 
61 FE £| 
AC IF A6 SD 
DE 4B E6 92- 



PTEfi 7 ADVA NCKD m£R YPTION STANDARD (AESt 
Ta bk 7.7 Eram/jfr of encryption. ( continued) 



Round 


State 


Output Stale 




; Round Key 


9 


2a t #4 pa -is 

B7 AS f(^3_ 


OA W Pi 3"C 
95 53 |f 3 5 
2A BO 2D 00 
16 76 Oy 77 


E4 OF. 21 F9 

3F. CI A3 -40 

\E3 FC" 5A-C7 

■ BF. F.4 : 12 80 
■ 


10 


Oft DB FlO^ 

1 95 63 9F iV 

2a ao 31 ooy 

16 76 09 77 > 


BC ED 5S E6 
0.2 B3 OD FX 
BE Bl 6D 82 

x ^>m 95 FS 41 




DB D5 F4:. 0D 
P9 3S £ 3R DB 

2S D2 BS 4F-. 
<26 DS CD 40 



Example 7.11 O ^ 

Figure 7,21 show* Lhc stafe entries in one round, fujuml 7, in Kxample 7,10. 

-A 



Figure 7,21 State in a single tvmrirf 




7C 


FB 


AI 


«> 






1..: 


FT 




30 


-•' 


AA 


FC 






gs 


00 


35 


LE> 


FJ 


BF 


"?E 


1 — * 




,'H 


0 




IB 


4B 


F* 






59 


EJ 


IE 


BA 



ft 



1- J . DS -t^ 
e.Sk A2 136 
Sfc^J CF 5A 



1-rifiul grille 



After SuhHyec-i 



AferJitiiftRuwi 





.".ri ■*• ■ ■ ■ 



Afar SJUCtrtirmrvL 

Q_ 




Example 7.12 

One may be curious to sea the ifttfb of enc^ption when the plaintext is mtrttof all tk, Using $» 
cipher key in Example 7. 10 yleids the ciphertexl- ^ 

Plaintext: -00 00 00 OO OO DO GO 00 00 00 00 00 00 .00«00 00 
Cipbitf Key-24 75 A£- 34 75-5SB3 % E2' \2 "00 ,13 AA W^B7 
CiphctU?tti 63 £C D* 5E 5D-&6 EE B5 62 04 01 AO ?vA -9C 2D>Sl3 



Example 7, 13 

Let us check Lhe avalanche cfTcel I hat wc discuued in Chapter 6. Ut us change only one bit m 
ihe plaintext and compare the results. Wc changed only ane bit in the Jast byte. The result clearly 
shows the effeci of dLfkision snd confusiufi. Changing a single hit in. the plaintext hws afft-ci^ci 
many bits in the ciphcrtest. 



Pliiittte^tk DO|:00 W 00 00 OG.Oft 00 00 00 0O-. 00 00 00' 00 00 

Plaint 2: 00 "OO Ott tjp OO OQ 00 00 DO 00 (Jfi 00 00 00 00 01 

GjphCTtEJti 1 : (5 3 '2C r>4 5Ii ^6 g| 35 52 04- 01 AO AA PC 2D £3D 

aphcrtcxt2 26 AC Al' &C "07 R7 C7 2^ 7E 30 63 92 73 13 



SECTION 7.6 ANALYSIS OF AES 119 

\ 

*^8xample 7.14 

^s^to] towing stlows thfi «6fed of using a cipher key in which all bits arc 0 S . 

^iaintext: 00 04 t|: 14 12 M 12 00 0c Dp- 13 11 09 23 19 13 
<^jWrKcy:0{> OQ 00 ;M DO DO 00 00 Oft 0(1 66 00 00 00 00 Oo" 
CSf^enrat 5A 6F 4B.g'7 57 37 #$ D2 C4 10 91 ED .64 9A 43 72 

1» 



7.6 ANALYSIS OF AES 

Following is a review of Lhts thrre characteristics of AES. 

Security n 

AES was designed afterUKS Most of the known attacks on DES were already tested 
on AES; none of them h^^pken the security of AES so far. 

Brute- Force Attack ^x^. 

AES is definitely more secuns than DES due to the larger-size key {128, i9„2, and 
ZW bits) . Let us compare DES vQlft 56-bit cipher key and AES with OS-bit cipher key. 
I -or DES we need 2 56 { ignoring tbejeeyjornplcrnent issue) tesus to Jind the key; for^ES 
we need 2 m tests to find die key. Thf^neans that if we can break DES in f Seconals, we 
need (2 72 X t) seconds to break AES^p^s would be almost impossible. Tn addition, 
AES provides two other versions withf Lwigcr cipher keys.. The lack of weak keys is 
another advantage of AES over DES. ^ 

Statistical Attacks \§\ 

The strong diffusion and confusion provid&5^£^ the combination of the SubBytcs h 
Shift Rows, and MixColumns transformations r@ovcs any frequency pattern in the 
plaintext. Numerous tests have failed to do statistic^nalysis of the ciphertext. 

Differential and Linear Attack? 

AES was designed after DES* Differential jmd | in eat Lrfytoianarysis. attacks were no 
doubt taken into consideration. There arc no differentiai^d Einear attacks on AES 
as yet. 



1 



Ira piemen tation 

\i:S can be implemented in software, hardware* and firmware. The implementation 
can use table lookup process or routines that use a weUndefined algebraic structure. The 
transformation can be either byte- oriented or word-oriented. In the byte-oriented ver- 
;sjoh. the: whoie algorithm, can use an i^bit processor" in the word-oriented version, 
it can use a 32-bit processor. In either case* the design of constants makes processing 
very fast. 



fAFTF.R? ADVA 



$<^L\> CH YH ION WANDA RD 

Simplicity an^fcost 

The algorithms use^jjk AES arc so simple that they can be easily implemented using 
cheap processors and ^minimum amount of memory. 

v 

7 J RECOMMITTED READING 

The following books and wel4^)es give more details about subjects discussed in this 
chapter. We recommend die JbtK^5ii£ books and sites. The items enclosed in brackets 
refer to the reference list at the ens^fthe book. 



Books 



[StaOG], [St [06 J. [RM333, [Sei103], [MaoM^ and (W06] di^uss AES 



WebSites 



The following websites give more information ^feout topics discussed in this chapter. 

chTc,ni stgo v/publ ications/ fips/fips 1 97/fipSHj|^}pttf 
hstp ://ww w.q nadibioe. com/cry pEo/co&4O40 1 ittm >Ve 
http://ww.ietf.ofg/rfc/rfc3 3 ^ 

__ Y> 



7.8 



TERMS 



AddRuuridKey 

Advanced Encryption Standard (AILS) 
bit 

block 



cipher 

TnvAddRoundKey 
inverse cipher 
InvMixColuuiJiS 
InvSbiftRows 
InvSubBvtes 



D 

key expansion 
MixColumns 

National Institute of'StaQlards and 
Technology (NIST) 

Rijndae! • 
RotWord Q\ 
ShiftRows O 
state 

SubBytes 
Sab Word 
word 



7.9 SI M M ARY 



"_l The Advanced Encryption Standard (AES) is a symmetric-key block cipher pub- 
lished by NIST ss FTPS i5>7. AES is based on the Rijndael algorithm. 



SECTION 7 AO PRACTICE SET 221 




is a non-Feistel cipher that encrypts and decrypts, a data block of 12& bits, it 
uses E0 n 12, or 14 number of rounds. The key size, which can be 128 T 1 92> or 256 
depends on the number of rounds. 

is byte-oriented. The J 28.-bk plaintext orciphertext is considered as sixteen S-bit 
i. To be able to perforni some mathematical transformations on bytes, AES has 
led the concept of a state. A state is. a 4 x 4 matrix in which each entry ss a byte. 

To ^vide security. AES uses four types of transformations: substitution, permuta- 
tion h ^JpciTtg + and key -adding. Each round of AES t except the last, uses the four 
transforations. The last round uses only three of the four transformations, 

SubstiluT^OE^ rs defined by either a table lookup process or mathematical calculation 
in the GrK^Xfield. AES uses two invertible transformations, SubBytes and Inv- 
SubBytes, wWch are inverses of each other. 

The second brmation in a mund is Shifting, which permutes the bytes. In die 
encryption^ the (jansibrmau'on is called Sh iff Rows, In the de-cry ption t tbe transfor- 
mation is called Jy^hiftRows, The SbiftRows and I nv SbiftRows transformations 
(^•inverses of eaeh<dlier r 

□ Hie mixing transfoiriW^n changes the contents of each byle by taking four bytes 
at a time and combininjL^cm to recreate four new bytes. AES defines two trans- 
formations, MixColumnVajid InvMixColumnK, to be used in the encryption and 
decryption. MixColumnsS™ltiplies die state matrix by a constant square matrix; 
tbe InvMixColumns does*£he>same using the inverse constant matrix. The 
MixCoIuuuis and luvMixColC^fyis trans formations arc inverses of each other. 

□ The transformation that perl'omi^cvViilenin^ is caUed AddRoundKey. The previous 
state is added (matrix addition) wifhvthe round matrix key to create the new state. 
Addition of individual elements in tRpH^o matrices is done in GF(2^) S which means 
that 8-bit words i^re XQRcd. The, AdHfeuLndKey transformation is tiae inverse of itself, 

□ In the first confi juration (10 rounds wiwl2S-bit keys) h the key generator creates 
eieven 1 ZK-bil round keys out Of the l^ovfelt cipher key. AES uses the concept of a 
word lor key generation. A word is made IJDtour bytes. The round keys are gener- 
ated word by word. AES numbers the w^nSs from w R to w 4J . The process is 
referred, to as key expansion. 

J ALLS cipher uses two algorithms lor decryption^tn the, original design, the order 
of transformations in each round is not die same n^he encryption and decryption. 
In the alternative design, the transformations inSm decry ption algorithms are 
rearranged to make ordering the same in encryption ^Si decryption. In the second 
version, the itivertibiLity is provided for a pair of transformations. 



7.10 PRACTICE SET 

Review Questions 

L List die criteria defused by NIST for AES. 

2. List the parameters (block si/e. key size, and the number of rounds) for the three 
AES versions 



CHA FTER 7 AD VAN&B ENCti YPTIQN STANDARD (A FS J 

3. How many^liansfonnations are there in each version of AES? How many round 
keys are mvft§b>fnt each version? 

4, Compare DES^ap&l AES. Which one is bit-oriented? Which one is byte-oriented? 

5, Define a state in ^SJiow many states are there in each version of AES? 

6. Which of the four Yr^sfoiinations defined for AES change the contents of bytes? 
Which one docs not qfi^J ige the contents of the bytes? 

7 Compare the substitution DBS and AES, Why do we have only one substitution 
table (S- box } in AES , boi^cral i n DBS ? 

8. Compare the pemutaLkni^mJ>ES and AES, Why do we need expansion and com- 
pression permutations in DBS Jtait not in AES? 



9. Comparo the round keys in DBS arid AES, In which cipher is the size of the round 
key the same as the sbe of the 

10. Why do you think the mixing iran^rmation (MixColunliik) is not needed in DES S 
bit is needed in AES ? V* 

\ 

Exercises 

M . hi a cipher, S -boxes can be cither static or thrmic. The parameters in a static S box 
do not depend on the key. \V 

* Sl^e some advantages and ™e disadvantage^ static and dynamic S-hoxes. 
b. Are the S-boxes (substitution tables) in AES static or dynamic? 

12. AES has a larger block size than PES (12S vettu&Yuis this an advantage or dis- 
advantage? Explain, O 

13. AES defines different implementation* with three ^j^ent numbers of rounds 
(10. 12, and 14); DES defines only implementation w^ 16 rounds. What arc 
She advantages and disadvantages of AES over DF^fcith respect to this 
di fference? 

14. AES defines three diflerent cipher-key sizes (I23 P 192 T and 256j>^ES defines only 
one cipher-key size (561 What are the advantages and disadvantages of AES over 
DOS with respect to this difference? • 

15. In AES, die size of the block is the same as the size of the round ke£^L2B bits): in 
DES, the size of the block is 64 bits, but the size of the round key is©lv 48 bits. 
What are the advantages and disadvantages of AES over DES with ted|juk to this 
difference? * 

16. Prove (hat the ShifiRows and InvShifiRows transformations are permutations by 
doing The following: 

a. Show the pei mutation tuple for BhiltRows. The table needs to have I2S entries, 
but since the eon tens s of a byte do not change, the table can have only 1 6 entries 
wit It <he assumption that each entry represents a byte. 

b. Repeat Part a for hivShiftRows transforms! ion . 

t. Using the results of Parts a and b, prove that the ShiftRows and Fnv ShiftRows 
transformations are inverses of each other 



- 



SECTION 7 AO PRACTICE SET 223 



Using the same cipher key, apply each of the following transformations on two 
• plaintexts that differ only in the first biL Find the number of bits changed after each 
tljcir^brTTiation. Each transformation is applied independently, 
ces 




Lows 
c. MftQnJunins 



d. Add^lmTlKey (with the same round keys of your choice) 

18. To see th<{^nliuearity of the SubBytes transformation, show (hat \La and h are 
two bytes, w^Jtave 

^jEytes (u : © ir) * : Sub flutes (rf) #-5ubByW{&) 

. = 0*57 »d%A2 ■ . 

19. Give a general forimihi^U) calculate the number of each kind of Transformation 
(SubBytes, ShiftKows>[^CoJumns 1 and AddRoundKey) and the number of total 
Iran sf on nations for eaclKvefsion of AKS. The formula should be parametrized on 
t he number of rounds. C^> 

20 Redraw Figure 7. 1 6 for AES$2 and A£S~256 + 

21. Create two new tables that sh^RCon* constants for Lhe AES^92 and AES-256 
implementations (see Table 7.4) L# 

22. En AES-128* the roucid key uscd*^the pre-rouud operation is the same as the 
cipher key. Is mis the case for AI^^TO?ls this the cal for AES-2567 

23. In Figure IX multiply the X and X 1 ^trices to prove that they are inverses of 
each other. , 

24. Using Figure 7,12, rewrite the so ware nMmces C and C~ L using polynomials with 
coefficients in GF(2), Multiply the two matHcgs and prove that they are inverse of 
each other. 

25. Prove diat Lhc code in Algorithm 7.1 (SubByitOrjuisfonnaLion) matches the pro- 
cess shown in Figure 7.8= ^ 

26. Using Algorithm 7.1 (SubBytes transformation), detune following; 

a; Write the code for a routine that calculates die inv^rsfc of a byte in GF(2 3 ), 
h. Write the code for Byte"] blvtritrtx, Q 

e. Write the code for MatrixToByte. 

27. Write an algorithm for the InvSubflyies transformation. 

23. i^ve thai the code in Algorithm 7,2 (ShiftRows transformation) matches the pru 
cess shewn in Figure 7.9. 

29. Using Algorithm 72 (ShiftRows transformation), write die code for Copy Row 
routine. 

30. Write an algorithm for die lnvShil'tRows transformation, 

3L Prove I hat the code in Algorithm 7.3 (MtxColurnns transformation) matches with 
the process shown in Figure 7.13- 



:HA PTER ? ADVANQ& FNCR YPTtON STANDARD (AES} 

32. Using Algorithm 7.3 fMixColuinns transformation), write the code for the Copy- 
Column routij^i^ 

33. Rewrite Algon^b*d 73 (MixColumns transformation) replacing the operator* (.) 
with a routine c&ffed MultField to calculate the multiplication of two bytes in the 

34. Write an algorithm ivr InvMixColumn transformarion r 

35. Prove that the- code »orithm 7.4 (AddRoundKey transformation) matches the 
process shown in Figun\ylx 

36. !n Algorithm 7 r 5 (Key Ex^^sion), 

a. Write the code for the Sif^frurd routine, 

b. Write the code for the RotWsjM routine. 

37. Give two new algorithms for ke^tixpansion in AB5-I92 and AES-256 (see Algo- 
rithm, 7,5). ^ 

3$. Write the key-expansion algorithm f^paltemaie reverse dpft'er, 

39. Write the algorithm for inverse cipher ^he original design, 

40, Write the algorithm lor the inverse ciphep^n the alternative design. 

o 




-Key Ciphers 




\ 

ves \$\ 

Thi s chapter has several, obj cch ves : 1 

□ To show how rrii^ standard ciphers, such as DBS or AES 5 can be 
used to encipher long^ies sages. 

□ To discuss five modcS^ operation designed to be used with modem 
block ciphers. ^ ^ 

□ ' lb d efine wliich mode of operation creates stream ciphers out of the 
underlying block ciphers. 

□ To discuss the security issue^hd the error propagation of different 
modes of operation . q 

□ To discuss two stream ciphers us^for real-time processing of data. 

This chapter shows how the concept^! iscussed in Chapter 5 and two 
modern block ciphers discussed in Ch^pjf^re 6 and 7 can be used to enci- 
pher long messages. It also introduces tw^f&trcam ciphers. 

£ ^_ 

8.1 USE OF MODERN BLOCK C»HERS 

Symmetric-kcy encipherment can be done using mod^n) block ciphers The two 
modern block ciphers discussed in Chapters 6 and 7 T MfJ^ly DES and AES, are 
designed to encipher and decipher a block of text of fixeefsize. DES encrypts and 
decrypts a block of 64 bits; AES encrypts and decrypt a block of 128 bits. In real- 
life application the text to bfc enciphered is of variable size and normally much 
larger than 64^r 128 bits. Modes of optraLion have been devised to enci[jhcr text of 
any size employed Lhcr DES or AES. Figure 8.1 shows the five modes of operation 
I hat will be discussed here. 



225 



CM A PTER A 1 ENCmi^MENT USING MODERN SYMMETRIC-KEF CIPHERS 

4> 



Figure 8.1 MudvsLnftypcrution. 



Filnsitnynic 



Modes of 
operation 



ECB 



cfr.ainip^' | 



Cipher 
feedback 



On (pni 
tibedu;LC k 



CuuiHer 



iTTR 



Electronic Codebuok (ECBjl^lode 

The simplest mode of operation is titled the electronic codeboo k (ECB) mode. The 
plaintext is divided into N blocks. Th^lcjck size is n bits. If the. plaintext size is not a 
multiple of the block size, the text is padded to make the last block the same size as the 
other blocks. The same key is used to encryfk and decrypt each block, figure 8,2 shows 
the encryption and decryption in this mode* v 

V 



Figure S.2 FJrci n/n \c oht^vk (ECB) mode 



E: frncryplinn 
F r : Plaintext block r 
Kz Secret key 



D: Decryption 

C,-: CipherteKL bL-rKl i 





p., 

■j 




n b i 


/e foils 
E 1 



































M bit* 



tit Ml 





n bi 






5S 




_j 


1 




jp 


Decryption 



The relation between plaintext arid ciphertcxL block is shown belov^^ 







Example A jf 

It can be proved thill each plaintext block at Alice's site is cxaedy recovered aL Bob*s site. 
Because encryption and decryption arcrinvcrM of each other 



-Wri-F" "*! 



Example 8.2 

This anode is eatled ^leawnic todeboak because one can precornpjie I* 1 ' codebooks (OAS for each 
key) in which each codebook has 2 rj entries in two columns, Each entry can list the plaintext and 



SLCT. fON f USE O F MODERN BLOCK CIPHERS 227 

4* cDircspanding cipha^t Mock* However, if K and a are large, the cwJcbook would be far 
Lgo large to precompile and maintain. 

Se^Ffti Issues 




are security issues in CBC mode; 
L Pal!^ at [he block level are preserved. For example, equal blocks in tbe plaintext 
bccoftfeequal blocks m the ciphcrteKt. If Eve rinds out trial ciphertcxt blocks l p 5, 
and iljmi sam 6f she knows that plaintext blocks 1 , 5 h and 1 0 arc the same. This 
is a lcakA^carity. For example. Eve can do an exhaustive search to decrypt only 
one oi tlu: Attacks to Jin d the contents of all of them. 
2. The block independency crepes opportunities for Eve to exchange some cipheiText 
blocks withouH^owing the key. For example, if she knows (hat block jj always 
conveys some Kfran^c information, she can replace this block with the correspond- 
ing block in die pfe^usly intraxepted message. 

Example $3 Y** 

Assume that Eve works in a. tympany a few hour* per month (her monthly payment is very 
low). Site knows (ha! (he oomp^^es sever*! blocks of information for each employee m 
which the- sevemb block Ls the arn^uiit of money to he deposited in the employee's account, 
Eye can in Except trie ciphcrtcxl wnHfc the batik at the end of the month, replace the block 
with tire information about her payment with a copy of the block with the information about 
the payment of a full-time cot league •Each month Eve can revive more money than she 
deserves. V) 

V 

Error Propagation q 

A single bit error in transmission can create £ftprs in several (normally half of the bits 



or all of the bits) in the corresponding block. However, die error does nos have any 
effect on the other blocks, x^) 

Atgtiriihm O 

Sinipfe algorithms can be written for encryption nrde^rVption. Algorithm 8,1 gives the 
pseudocode routine for encryption; the routine for decryption is left as an cxerciserE K 
encrypts a single block and can be one of the ciphers disced in Chapters 6 or 7 (DES 
orAES). /~\ 

Algorithm 8.1 Encryption for ECS mode ' 



ECB_]:itcrypti(Hi (K, Plain tew blocks) 

Fyr(r = 1 luN) 

I 

Cr <- H K (P,) 

I 

return t:iphcricat blocks 

f 



■JiAPTER £ 



ENCJPHU&MENT USING MODERN SYMMETRIC KEY CIPHERS 
4> 



Ciphertzxt Steal jpg 

In ECB mode, pad^g piust be added to the last block if it is not n bits long- Padding is 
not always possible*™ example, when the ciphertcxt needs to be stored in the buffer 
where the plaintext w^greviously stared plaintext and dp her text must be the same, A 
technique called cipherrat stealing (CTS) can make it possible to use BCB mode 
without padding, In ibisKachniqye the last two plaintext blocks, and are 
encrypted differently and £jtfot order, as shown below, assuming thai has it bits 
and P/yhas m bits, where m ^) 



Wit 




The Hotu^ function selects the le 
rightmost n - m bits. The detailed diagr 
decryption are left as exercises. 



fst ffi bits; the fac7 ri _ m function selects the 
d I he procedure of The encrypnon and 




Applications 

The ECB mode of operation is not recommended for encryption of messages of 
more than one block to be transferred through an^wf^cure channel. If the message 
is short enough to fit in one block, the security issnejpand propagation errors are 
tolerable. 

One area where the independency of the ciphettext bWki is useful is where records 
need to be encrypted before they are stored in a databasev&^ectyptcd before they arc 
retrieved. Because The order of encryption and decryption of^Jbckx is not important in 
ihis mode, access to the database can be random if each reco^rj* a block or multiple 
1 j locks. A record can be retrieved from the middle, decrypted, am£e*|cryptecl after mod- 
ificaiion without affecting, other records, x 

Another advantage of this mode is that we can use parallel processing if we need io 
create, for example, a very huge encrypted database. • 

o 

Cipher Block Chaining {CBC) Mode ^ 

The next evolution in the operation mo*1e is the cipher block chaining (CISC) mode. 
In CBC mode, each plaintext block is exclusive-ored with the previous ciphertext 
block he lore being encrypted, When a block is enciphered, the block is sent, but a 
copy of it is kept in memory to be used in the encryption of the next block. The reader 
may wonder about The initial block. There is no cipher text block before the first block. 
In this case, a phony block called the initialization vector [IV) is used.The sender 
and receiver agree upon a specific predetermined IV In oiber words, an IV is 
used instead of the nonexistent C 0 . Figure- 8,3 shows CBC mode. At the sender side, 
exclusive-oring is done before encryption; at the receiver site, pcryptliju is done 
before exciusive-oring, 



\ 

figure 83 Cipher block draining fC^Q modie 



SECTION 3. 1 USE OF MODERN BLOCK CIPHERS 22V 



EMSngfrptinn D : Decryption 

P^: Wajjttyd block i Cj : CiphcnexE Mock i 
Kl StXpsTfceiy IV: Jnitjjil v-ectur (C 0 ) 




The relation between plaintt^Kand ciphcrtejU b looks is shown below: 








-» ■ 


32 




■ i 


> 1 










Mi 


1 






Example $,4 Q 

It can be proved, that each plaintext block ;U AIk^s site is recovered exactly ai Be-b's site. 
Because encryption and decryption are Enverses oTy^yoEJicr, 

. ■ • . r _ .. :r.-. ' : ■ . . v^T j 

p, =.d k (Q) © Q _ t =%C6d (p f © c, = W _i ® c, _ t = ^ 

InilmUzadon Vector ( I V) 

The initialization vector (XV) should be known by the sender and die receiver. Although 
keeping the vector secret is not necessary, the integrity oEvtbc vector plays an Important 
role in the security of CBC Enode: TV should be kept salQrorn change. If Eve can 
change [he hit values of the IV, it can change the bit values of^ first block.. 

Several methods have been recommended for using IV. /{^pseudorandom number 
can be selected by [he sender and transmitted through a secure channel (using ECB 
mode for example). A fixed value, can be agreed upon by Alice and Bob as Ihe IV when 
the secret key is established. It can be part of the secret key, and so on. 

Security Issitna 

Following are two of the security issues in CBC mode: 

1. In CBC mode, equal plaintext blocks belonging to the same message are enci- 
phered into different ciphertext blocks. Ln other words, the patterns at die block 



;H AFTER 8 ENCIPHJ^ENT USING MGDtXN $ YMMETRIC^KEY CIPHERS 

levels are -not preserved, However, if two messages ace equal, their enciphermeni is 
the same if thcvviisc the same IV. As a matter of fact if the first M blocks in two 
different mess^gcaAire cujual, they are enciphered into equal bleaks unless different 
IVs are used, J^Abis reason* some people rerommend the use of a ti mestamp 
as an TV, ^> 
2. Eve can add some clp^brtext blocks to the end of the cspbertexl stream. 

Error Propagation ^ 

In CBC mode, a singte bit erri^r^ji ciphertext block Cj during irajusmisston may create 
error in most bits in plaintext tStojjfePj- during decryption. However, this single error 
toggles only one bit in plaintext Nopk Pj +l (the bit in the .same location). The proof of 
Lliis fact is left as an exercise. Plaim^att blocks P^ +2 to P^ are not affected by this single 
bit error. A single bit error in ciphcrtd^s setf-recovered. 

Algorithm y>* 

Algorithm J5.2 gives the pseudocode for e^yption. The algorithm calls the encrypt 
routine thaL encrypts a single bSock (DES or^fe* F for example). The decryption algo- 
rithm is left as an exercise. \^ 

Algorithm S.2 Encryption algorithm Jhr ECB mod^^ 



CBC.Encryption (IV 4 K> Plaintext blocks) 
I 

Cq*- TV 

for(i - ! to N) 
( 

C y E K (Temp) 

1 

return Ciphertexi blocks 



\5 



o 



o 



Ciplteflext Stealing 

The ciphertext stealing technique described for 
mode, as shown below 



mode can also be ^jjlj^d to CBC 





v -x ® v. 



IE 



^1 


1 - ■ j 









The Aetfd function is the same as described in ECU mode; the pad function 
inserts IVs. 



Applications 

The CBC mode of operation can be used to encipher messages. However, beeause of 
chaining mechanism, parallel processing is not possible. CBC mode is not used to 



SECTION K 1 USB OF MODERN BLOCK CIPHERS 23 1 



decrypt and decrypt random-access files records because encryption and decryption 
r^uire auoesji to the previous records. As m will see in Chapter 1 l t CEC mode b also 



uM_^J^ir u'di-uT, Million, 



Ciph^eedback (CFB) Mode 




ECB nncrpBC modes. encrypt and decrypt blocks of the message. The block size, tu is 
predeterxnii^ by the underlying cipher; for example, n = 64 for DES and *t =128 for 
AES. In somtf^jluations, we need to use DES or AES as secure cipher^ buL the plain- 
text or ciplterii^Lbloek sizes are to be smaller, For example, to encrypt and decrypt 
ASCII 8-bit characre/s, you would not want to use one of tbfi traditional ciphers dis- 
cussed in Cha pte\3jhec au sc (I Ley lutc insecure. The solution is to use DES or AtiS in 
cipher feedback (C^h > mode. In this mode the size of the block used in DBS or AES 
is n t but the size of ih^Jftaintext or cipherlexl block is r. where r < n. 

The idea is to use or AES, not for encrypting the plaintext or decrypting the 
ciphcrtestt but to encrypt ppdecrypt the contents of a shift register, S, of size n. Lneryp 
lien is done by exclusive-ftripg an r-bk plaintext block with r bits of the shift register. 
Decryption is done by excJikive-oring an r-bil ciphertext block with r bits of the shift 
register. For each block, die i^ftregistcr 3 f is made by shifting the shift register S M 
(previous shift register) r bits to(Qte left and filling the rightmost r bits with C M . Sj is 
Qien encrypted to T t . Only the rigWQjfiost r bits 0% are exclusive-ored widt the plain- 
text block to make the C jr Note t ha r S h which is not shifted, li set to the IV for the 
first block, *v^n 

Figure 8.4 shows the CFB rntjde for enciphering; deciphering is die same, but the 
roles of plaintext blocks {Vf&) acid eiphcYexi blocks (C p -'s) are switched. Note dial both 
endpberrneni and decipherment use the ^uj)ryption function of the underlying block 
cipb et { DES or AES , for example). 

Aft 

i tgure K.4 l.nx-.ryptivn in ciphet feedback (CFB) 

Pi 

Er Encryption D: Decryption S-: Shift ie*itffcr 

Pji Plainrcxi block j Cj: CLphertaii b\uck i If Tcmpvmy rcgisier 

K: Secret key 1 V: 1 nitial vector a } * 



rv 



■ ■ * 



T, 





9 




K 



■ - - - ■ ' ■ ' 



E 



rbitii 




k» ' rbit£ 



P, 



r hits 



r OLES 




f bits 





kv I r bits- 



visits 



■K-t 



r hits 



Fjiqryption 



•HATTER S ENClPVmiENT USING MODERN SYMMETRIC-KEY CIPHERS 

^ 



In CFJl JiiirtlP, encipheruitml and decipherment use the encryption function of Uie 
t\\ undorlviitg block cipher. 

^ 

11m relation betw<^ ntaintext and ciphertext blocks is shown belo^: 




where die SbiftLeft r ruEiliiie sm^the contents of its argument r bits to the left (the 
leftmost r hits are dropped), Tfacr^rator I shows the concatenation. The SelectLeft,. 
routine selects only the leftmost r faffs from the argument Tt can be proven that each 
plaintext block at Alice's site is recoU^i exacdy ft Bob's site, tail the proof is left as 
an exercise. 

One interesting point about this mo^fc that no padding is required because the 
size of the blocks, r, is normally chosen to ir^he data unit to be encrypted (a character, 
for example). Another interesting poiut is thajAhe system does not have to wait until it 
has received a large block of data (64 bits oM^E bits) before smarting the encryption. 
The encrypting process is done for a small ttWt of data (such as a character). These 
two advantages come with a disadvantage. Ctf^fc less efficient than CBC or ECU, 
because it needs to apply the encryption function gf underlying block cipher for each 
small block of size r r >sK 

CFB as a Stream Cipher q 

Although CZFB is an operation mode for using block ciphe 
result is a stream cipher. Tn fact, it is a non synchronous s 
stream is dependent on the ciphertext Figure- 8.5 shows the pWn^of the encryption and 
decryption where the key general or is conspicuous. 

o 

-<5 

Figure 8. 5 Cipher feedback { CFB) mode as a tlrvam cipher 



uch as DES or AES, the 
ipher in which the key 



Key gpncrittw 




- - ■ C 



,■ i 



F bits 



K+ p~ 



i 1 UWa 




Decryjxioii 



^\ SECTION 3 J USE OF MODERN BWCK CiFNERS 233 

4 

Figure 8 . 5 shows that the u i m Ltvrl yi n £ e i phe r (D ES or AES ) > the cipher key (K) n and 
* he pre vious cipher block (C-) are used only to create the key str earns (k lh Jt 2 Jfcy). 

Algtfrphrn 

Algoj^^ti^S.^ gives the routine for encryption. The algorithm calls several other rou- 
tines wktipz details are left as exercises. Note that we have written the algorithm in such 
a way to sjfaiw the stream nature of the mode (real-time situation). The algorithm runs 
as long as owse arc plaintext blocks to be encrypted. 

Algorithm S$£)Encryptitiri ilgarithm for CFB 
CFB .ErMTiTptii^lV, K. r) 

1 ^ 

while (more blocks jc^ncrypt) 



input Q?f) 
if (i=l). 
S «- IV 

It jnp<- sliiftLtfV (S) 
S concatenate (Temp, Q j) 

) x 

T <- E^S) O 
Jtj «— select! jfifE r ("I"} 

c, E$ i k ( ^ 

output (C-) 

i <- r + 1 O 

• 6 



Security Issue* 



O 

o 

There are three primary security issues in CFB mode: 
i * Just like CBC t die patterns at the block level are not preserved. 

2. More than one message can be encrypted with die same key, but die value of die J V 
should be changed for each message. This means dial Alice needs to use a different 
ffi each time She sends a message. 

3. Eve can add some cipherte^t block to the end of the cipheflejtf stream, 
Error Propagation 

In CFF3, a single bit error in ciptierfext block Cj during transmission creates a single 
bit error (at the same position) in plaintext block Pj- However, most of the hits in the 



'HAPTEN H ENCIPHE^mr USING MODERN SYMMETRIC- KEY CIPHERS 

following plaintext blocks are in error [with 5Q percent probability) as long as some 
bits of Cji are still^yy the shift register. The calculation of the number of affected 
blocks is left as an, eWresse. After ttob shi.fl register is totally refreshed, the system 
recovers from the crrwf v 

Application v^) 

The CFB mode of operational be used to enciplier blocks of small size such as one 
charterer or bit at a lime. The^js no need for padding because the size of the plaintext 
block is normally fixed (8 for a > pftaracter rjr 1 for a bit). 

Special Case 

IF the blocks in the text and in ihe^mderlying cipher are the same size (fe -= r). the 
CEKTypLion/dccryption becomes simpl^W discovery of the diagram and the algorithm 
are left as an exercise. 

Output feedback (OFB) Mode 

Output feedback (OFB) mode is very sim^tp CFB mode, with one difference: 
each bit in The ciphcrtext is independent of the(pWEons bit or bits. This avoids; error 
propagation. If an error occurs in transmission irttocs not affect the bits that folkiw. 
Note thnr, like CFB, both the sender and the receiver use the encryption algorithm. 
Figure S, 6 shows OFB mode. * S 



Figure 8.6 Encrypriox\ in output feedback (OFfl) mn&\ 



E : Encrypti un D : DtCiypliuii 5,: Shift n&gisier 

P,-: PLiuntext bbek i {I, : Ciphers* l bSock i Tj: Temporary register \§l 
K: _Secr^i }ccv IV: Enitkal vcclnc (S ? l 




Eucr^pnon 



4)FB as a Stream Cipher 

OFB, like CFB, creates a stream cipher oui of The underlying block cipher. The key 
stream, however, is independent from ihc plaintext or cipberteji, which means that the 



SECTION & / USE OF MODERN BLOCK CIPHERS 23? 



ream cipher is synchronous, a* discussed in Chapter 5. Figure 8.7 shows Lho cncryp- 
ti&njnd decryption in which £he key generator is conspicuous. 



Vlgu 




tput feedback ( Qfi'B } rruidc q.t u stream cipher 



Key ficncrat[>r 



^bLbi)| ^ 




bits 




I- bit; 



i ■ 



Encryption 



Insecure uhnLniicl 



r 1 Mb 



9 



p, 



Algorithm 

Algorithm 8.4 gives the routine lor ci^^ption. The algorithm calls several other tou 
tines whose details are left as exerciser. thai we have written the algorithm in such 



A iRorithm 8.4 Encryption algorithm Jbr 0.£&) 



OFlt i:[i<:rv P tiori(rV 1 K r r) 
\ 

i <r- 1 

while (marc blocks to encrypt) 
t 

Ittpul (Pp) 
if(f=l) IV 
else 

i 

Temp^shiftLtft^S) 

S <— ccnicatenatc {Temp, Jtj_|) 

i 

output (Cj-) 

l" ! * 1 



o 



o 



) 



1 



•:m FTER $ ENCiPltektfVNT USING M ODERN SYMMETRIC-KEY CIPHERS 

a way to show cbe stream nature of the mode (real-time si tuition). The algorithm runs 
as long as there aT^J^ainiexi blocks 10 be encrypted- 

"A 

Security Issues C^) . 

Fol Sowing arc two of LhJ^ecurity issues in OFB mode: 

1 . lust like the CFB moo^ppaLterns at the block Se vei are Dot preserved, 

2. Any change in the ciph^ext affects the plaintext encrypted at the receiver side. 

Error Frupagatkm k 




Lite algorithm as an exercise 



A single error in the riphenext d£fi&& only the corresponding bit in the plainteM. 
Special Case K w 

IF the blocks in the text and the underlyi^ cipher are of the same size {n r% the 
cncrypLion/decryption becomes simpler, btn wx: leave the discovery of the diagram and 

Counter (CTR) Mcide ^ 

Id the counter [CTR) mode t (here is no feedback* Jpd pseudoraiidomness in the key 
stream is achieved using a counter. An rt-bit connterW injtjaliaed lo a predetermined 
value (IV) and incremented based on a predefined rut^nod 2 n ). To provide a belter 
randomness, the Increment value can depend on the blo@btimber to be incremented. 
The plaintext and dphertext block have the same block si(£^as the underlying cipher 
(eg., DBA or AES). Plaintext blocks of size n are encry ptea^cceate cipberxext blocks 
of size n. Figure 8.8 shows the counter mode. 

<k 



Figure 8<S Encryplhn in counter ((STR) mode 



E : Encryption IV: EnLtiaJszaljon vector 

f j : PiainLcst faSock i C t i Ciph&rcext Mock i 
K ' Secret key Jt,- : Uncfypticni key i 



[The tounlsrf is iilttttmElted fmfca^h hEtxrk. J 

_ ^ , 




EftcrypUf>n 



SECTION S I U$K OF MODERN BLOCK CIPHERS 237 



The relation between plaintext and cipberlext blocks is shown below, 
^yiiti^C^je.:^ {Counter) 'DecrFpti^^P^CjC^ R< (Counted " 



(^R uses the encryption function of the underlying block cipher (E K ) for both 
cncipl^nent and decipherment. It is easy to prove that the plaintext block P f can be 
TCcovc-fw&om the cipher! ext Q. TtM is left as an exercise. 

We c^ompare CTR mqde to 01 11 and BCB modes. Like OFB n CTR creates a key 
stream tbsrvj^dependent from the; previous ciphertext block, but CTR docs not use fecd^ 
back.. Like Bdp). CTR creates n-hix ciphertext blocks thai are independent from each other; 
they depend oi^Aon the value of the counter. On die negative side, this means that CTR 
mode, like ECU ^tfkle, cannot be used for real-lime processing. The encrypting algori thm 
needs to waif to grfa^oitiplclc rabbit block of data before encrypting. On the positive side, 
CTR mode, Eike ECtf mode can be used to encrypt and decrypt random-access files as long 
as the value of the counter can be related to the record number In the file. 

CTR dM a Strmm Ciph&r^ 

Like CFB CFB r CTR t^ctuaily a stream cipher (different block are exclusive -ored 
with different keys). Figure B^liows encryption and decry priori of the titi data block. 

Figure 8.9 Counter (CT7C) 



Key £CficratOT 




stream cipher 

o 



K&y generator 



u hits 



rr bils 



Unciyprjon 




Insecure choline' 




T>ectyplLUD 



~ % 

Algorithm Q 

Algorithm £.5 gives the routine in pseudocode for encrypting the algorithm For decryp- 
tion is left as an exercise. In this algorithm, the increment value is dependent on the 
block number, Jji other words, the counter values are. IV, I~V + 1, IV + 3, IV + 6 T and so 
oil It is also assumed that ail N plaintext blocks are ready before starting encryption, 
but Che algorithm can be rewritten to avoid this assumption. 

Security issues 

The security issues for the CTR mode are the same as the those for OFB mode. 



Error Propagation 

A single emir in [he ciphertext affects only the corresponding bit in the plaintext. 



AFTER 8 ENClPHERI&StfT USING MODERN S YMMETRIC- KEY OPHERS 

A3 go r it Jim 8 . 5 t'neryption algarim m for CTR 
CTRJftneryptiflii (jl^J^aintest blocks) 

i 

Cuimier f- IV (\) 

for(i= I to/O V*} 

1 



, v 

return Ciphertext blocks 

i : 



C ; Jfc, 



Comparison of Differeni Modes 

jares the ftvt; different rXod^s of operation discussed in this chapter 

Table 3. 1 Summary of operation mode >■ 



Table 8 J. briclly compares 



Operation 

Made 




■ T$]?e of 
Result' 


Data Urrit 


ECB,' ; ? 


Each /i-bk block is encrvpsed indeocnderil!.y with 

a, ■» c^i-y. X_ 


Block 
cipher 


ti 




Same as ECB, but each block ik first rixuhssiv^rfci^ 
with the previous ctphcricxt. \^ 


H Lock 
cipher 


n 


CPE 


Each r-blE block is excUisive-ored with an r-bit ke£3 
which i& part of previous cipher text 


Stream 
^cipher 


r<n 


OFB 

IB 1 * -Br^* ■ I ' * HI- 'i 


Same asCFB, but the shift register is lijKlin t=<L by the 
previous ^bit key. 


^i^pr 




era 


Same as OFB, but a counter is usc<£ Enstcad of a shift 
register. 


Stn(ajj) 
cipher^ 




• 



8.2 USE OF STREAM CIPHERS 

Although tile five modes of operations enable the use of block ciphers for cneipf^rrnent 
of messages or files In large units (ECB, CBC, and CTR) and small units (CFB and 
OFB),, sometimes pure stream are needed for enciphering small units of daca such as 
characters or bits. Stream ciphers arc mote- efficient for real- time processing. Several 
stream ciphers have been used in different protocols during the last few decades. We 
discus* only two: RC4 and A 571- 

RC4 

KC4 is a stream cipher thai waft designed in 19&4 by RonaJd Rivesl for RSA Data 
Security. RC4 is used in many data communication and networking protocols, includ- 
ing !s SI .-Tl .S (see Chapter 1 71 and the IBEES02.] I wireless LAN standard. 



SECTION 8. 2 USt OF STTRKA M CIPHf-N£ 



KC4 is a byte-oriented siraam cipher in which a byte (8 bits) mf a plaintext is 
^clnsivc-orcd with a byte of key to produce a byte of a ciphcrtexL The secret key, 
v *rjgAi which the one-byte keys in the key stream are generated, can contain anywhere 
ftpfn ( to 256 bytes. 

RC4 is(^)sed on the concept of a staLe. At each moment, a stale of 256 bytes is active, 
from whj^)one of the bytes is randomly selected to serve as the key for encryption. 
The idea c^a^e shown as an array of bytes: 




Note thai the^jces of the dement* range between 0 and 2$5. The contents of each 
element is also a bv^iS birs) that can be interpreted as an integer between 0 ro 255. 

The Idea ^ 

Figure 8,10 shows the whrfl^idea of RC4. The first two boxes are performed only once 
(initializing); the pennuialiur^Tor creating stream key is repeated as long as there arc 
plaintext bytes Lt.3 encrypt 



Figure 8»10 ffie idta of RC4 strea^fphsr 



StaJc \zy imLLatizatKHi 
(done only oftC*0vJ 



Initial SEa!e jta emulation 
(done only onu;c) 







■ * * 


Key - — y 


S[01SflJ^| 














K10JKL1J K[2f 





o 



Mix with key bytes 
3uld permute 



_ ... * 



Slate permutation fof 
key Stream ^enc ration 




] 7 cmiu[c Slflltf! Values 




( fi bits) 



Stale perrn ut 3 El OH for O 
key Stream generation 

Ferom tc slaie vaiues ||> 




F (. 
Encryption 
{first byiei) 



Stale ncrmuE^tion for 
key Stream. ^eoeraikin 

HP 




PcnnuSf! state values 



K hits 



P C 
(second byte) 



P C 
HBcryption 
(last bvte^ 




IA PTER $ EWaPHEfi^ENT USING MODERN SYMMETRIC-KEY CIPHERS 

Jxtitializnttou liifliaitzalioei is done in two steps: 

1 . In the first step, jte is initialized to values 0, i 255, A key array, K[0] p K[ 1 1, 

K[255] is also^^jjiated. H the secret key has exactly 256 bytes, the bytes are cop- 
ied to the K array; o^fr^wise, the bytes are repeated until the K array is tilled. 

&*.</= ^ to 255) ■ . . \: . .VMWg 



' ' . S> 



i ' ":.:- r >. . • . 




— — 

\S> 

2. In the second siL fc p, "he initialized Ktaie\£oes thrn-u^h a permutation (swapping 
elements) leased on the value of the b\tcs in K[i"|. The key byte is used only in this 
step to define which elements are to be\S\vjLpped. After step, the state bytes arc- 
completely shuffled. C . 

v 

^ nJ. tit? St-i'^At^i ' 



for (?= Ota 255} 

y ^ (/ -h S[zj + K[(l) mod 25G . 

1 






Key Stream Geneva t ion The keys in the key stream, the E*L are generated, one by 
one. First, the sLate is permuted based on the values of state elcmi^ and th-u values til 
two individual variables, f and j. Second, the values of two statefi Jkpierats in position* 
f and j art; used to define the index nf the state element thai serves faJt'<The following 
code is repeated for each byte of the plaintext to create a new key element in the key 
.Stream. The variables i and j are initialized Jo 0 before the first iteration^but the values 
are copied from one iteration to the next. 

Vi SSil) moil 256 .'■ - ^PfP • :• .V 

swap (j [rj , $ [fflfeb? |v%^.l|^V '■ a ^^iM^ 




Encryption or Decryption After k has been created, the plaintext byte is encrypted 
with k to create ihe ciphertext byte. Decryption is the reverse process. 

Algorithm 

Algorithm fi,6 shows the pseudocode routine for RC4. 



# Algorithm Encryption algorithm for RC4 



SECTION S. 2 USE OF STREAM CIPHERS 



241 



(j^JtacryptltmfKj 



flTCrcuLioLi of initial state and key bytes 
Kj^v^- Key \i mod KcyLcngdi] 

1 V 

Permufuig>starc bytes based on values of key hyt^s 
for ff = 0 to 2^5) 



■ 



) «- (J + +NClfp < tTKXl 256. 

swap (S(ij , S(/]K v- 
I O 

// Continuously [Krrmili^^ftare; bytes, generating kcys h and encrypting 

i 'fh 0 

white (mnns byle- to encrypt) • 

r" f- (/ + 1) mod 256 

5 <*- (/ +S[rl)mod2S6 Q 



swap (3 [i] b S[/J) 

Jt £- $ l(5[i] + S W> mod 256] 

// Key it itntlv, encrypt 

tap)] P 

C *— V 
output C 



O 



o 



Example HS 



To show the randomness of the stream key, we use a secret key with all bytes- set lo 0. The key 
stream for 20 vainer of A is (222, 24. 137, 65. Ifrl. 5$ M 93. £g- 13S, 6. 30, 103, S7, 110, 146, ]09> 
in 26, 127. 163). 



Example «V. (5 

Repeat Example ft .5. but let die secret key he five bytes of {]5, 202, i3, 6, 8). I"he key stream is 
<24£ h 184, 102. 54 t 212,237, 186, 133, 5J, 238, LOS, L06, 103, 214*39, 242,30, & ? 144, 49). 
Again the randomness in ihe key stream is obvious. 



X 



IAP TEH 8 £MO H tm&WT USING MODERN $ Y\f METRIC-KEY CIPHERS 



Security Issues 



It is believed thai (his cipher is secure if [he key size \s at Ica-si 128 bit*] (16 bytes). There 
are some reported attaoKs for smaller key sizes (les$ than 5 bytes*), but the protocols that 
use RC4 ttidsty sill use V^jsizes that make RC4 secure. However, like many other 
ciphers _ it is recommende^^ie diflbreru keys be used for different sessions. This pre- 
vents F.ve from using differa^)al eryptanalysis en the cipher. 



;atu 



In rhis section wc inirtxluce a Hijeafn fijphcr [hut uises Lt'SRs ($ee Chapter 5) to create a bit 
sirc-am: AS/1. A5/ 1 (a member of thefe/amtly of ciphers) is used in the Global System For 
Mobile Communication (GSM), a network for mobile telephone comrnunieaiion. Phone 
communication in GSM is done a.% a, set^Phcc uf'22y-btl frames \u which each tranie lasts 
4.6 milliseconds. A5f} creates a bit sfcrcamrftfui of a 64-bit key. H IT\e bit streams are collected 



in a 22K-bit buffer tu be eAChisive-ored with a^^S-biL frame* as shown hi Fiaure 8.11- 



Figure 8,11 General outiine o/A5/I 



4> 



Secret kty 
(A bits 



— ► 


Key sLn-aiii 










] Hi 




m 





22J& bits 



-l\..:,X>. h^ffci 

O 



Plaintext Frame Ciphcneat frame 
Hncryption 






/fey GertertEtar 

mtt uses three LFSRa wilh iy r 22, and 23 bits. The LFSR 
iniats, mid die clocking bits Lire shown in Figure S.J 2. 


O 

fi ? [he chai^i 


juristic poly no 


Figure 8. 12 Thrte LFSR '& in A5/f 




o — 



IS ule: lite 1 hrce liSatk bo*tf* iuv us-td in ihc mujariSy funrlion 

HE (B~K3H-1 



Lqood 





. 1 


1 




















■ 


E 




























■ 1 













































LFSR 3: l L >hits (Jt^ l-.v 5 + ^ + t4 I) 



LFSR 2: 22 bits &^***t) 

-r 



► Output 




LFSR $ 23 fcir* (x 2 - 1 +■ a 15 + x + I) 



SECTION 8.2 USE OF STREAM CIPHERS 243 



or 



Tie one- bit output is fed h.i she 22 8- bit buffer Ltj be used for encryption ( 
^jieciyption). 

^lializatjon Initialisation is done for each frame of encryption (or decryption),. The 
jjWjzatioii uses a 64 bit secret key and 22 bits of the corresponding frame number, 
Futymiiig are the steps: 

L F^ F get ail bits i ci uWe LFSRs to 0. 

2. Seo«^p\ mix the 64 -bit key with the value of register according to the ibl lowing 
Rocking means that each LFSR goes through one shifting process, 




code. 




I ■ 






•Qiwfc all mte&VSRs 



|, Then repeaE the pilous process but use the 22-bit frame number 




ifn _ ,, n IT 





■■ 

L 1 ' 




v 

; who!j&> 



. .11 J - TT 



4. For 100 cycles clock the whfr ^generator, but use the Majority-function (see 
next section) to see which LKS#^shoiiid be clocked Note thai clocking, hew 
means that sometimes two and s^timcs all three LFSRs go through the shift- 
ing process. \§\ 






Majnrity Function A majority function. Majority ttj, £? 2l fc 3 ), is 1 if the majority 
number of bits is 1; it is 0 if the majority of bits is 0 F<k^ample T Majority (1,0, f) = 1, 
but Majority (0, 0 H 1) ss 0. The majority function has a ?#pe before each click of time; 
the three input bits arc called clocking hits: bits LFSRI [10], LFSR2[1 1], and 
LFSR3[1 ]] if the rightmost bit is bit 2cto. Nose that the literature eafis these bits S h I0 n 
and 10 counting fiom the left, but we use IQ n 1 1 and 1 1 counting from she right. We 
use this convention to match with the characterislic polynomial 

Key Stream Bits The key generator creates the key stream one bit at each click of 
time. Before the key is created the majority function is calculated. Then each LFSR is 
clocked if its clocking bit matches 'wish the result of the majority function; otherwise,. it 
is nut chicked. 

Example 8.7 

At a point of time fife clocking bits jtrc 1 . 0. and \ . Which T.F.SR clocked (shifted)? 



■ 

HA PTER H WaPHEm&NT USING MODERN S YMMFTRIC KEY ClPUFRS 
Solution • 

The rr.su] l of M £ijpiH [tfj^ 1>= 1. LFSRl and E_AFS3 are shifted, hut LFSR2 is nor. 

The bit streams created frwff^the key generator are buttered to form a 228 -bit key that is 
exdusive-ored with the pl^e*t frame to create the eiphertext frame Encryption/ 
decryption is done one fraine'^^'time. 

Security Issues 

Although GSM continues to use AVtseYeral attacks on GSM have been recorded. Two 
have been mentioned. In 2tXX>, AJes l^yukov, Adi Shamir, and David Wagner showed a 
rcaMime attack that finds the key in mi(^es from small known plaintexts, but it needs a 
preprocessing stage with 2** steps. In. Ekdahi and Jobannson published an attack 
that broke A 5/ J in a tew minutes using 2 to 5paitiutes of plaintext. With some new attack* 
on the hori zon s GS.V1 may need to replace orfop^ fy A5/1 in the future 

— — 

8.3 OTHER ISSUES O 

Enciphermertf using symmetric -key block or stream ciphers requires discussion of 
other issues, • y 

Key Managera m t \ 

o 

Alice and Rob need to share a secret key between themselves^ securely communicate 
using a symmetric-key cipher. If there are n entities in the conjMftnii^ each needs to com- 
mumcatc with rt - 1 other entities. Therefore, n(n - 1) secret ke^lrc needed. However, 
in a sy niineine-key encipherrnent a single key can be used in botrr^ction.^ from Alice 
to Bob and from Bob to Alice. This me;uis that n[rt ~ I )./2 keys sufn@ If n is around a 
mi Ebon h them almost half a billion keys must be exchanged. Because tlusfts not feasible, 
several other solutions have bran fouad. First, each time Alice and Bob want to communi- 
cate, they can create a session (temporary) key between themselves. Second^cormore 
key distribution centers can be established in the community to distribute sc4jdh keys for 
entities. AU of these issues are part of key management, which will be discQed" thor- 
oughly in Chapter [5 after the necessary tools have been discussed. ^> 



Key management is discussed En Chapter 15. 



Key < itineration 



Another issue- in symmetric-key eneipherment is the generation of a sceure key. Differ- 
ent symmetric-key ciphers need keys of different sizes. The selection of I he key must 
be based on a systematic approach to avoid a security leak, If AJice and Bob generate a 
session key between themselves, they need to chioose the key «o randomly that Hve can- 
not guess the next key. If a key distribution center needs to distribute the keys, the keys 



SECTION B.6 SUMMARY 245 



should be 60 random thai Eve mit guess the key to Alice and Bob frnm the 

U> ^signed lo John and Bve. This implies thai there is a need for random (or pseudo- 
Sb3 prober generator. Because ihe discussion of random number generator 
™« topics to have not yet been dxscussed. the study of W™ n^ber 
generzjttijx is presented in Appendix K. 

(\J Rflndoiti numlwr generator!* sire discussed in Appendix K. _ 

$ 



- 



8.4 RECOMMENDED READ1 

ThefoUowingb^aud websites provide more details about subjects discussed into 
chapter. The henW&ed in bnM refer to the Terence list at the end of the hook. 

Books V ^ 

ISeb9<>] LS»06], IPHS&LstUXa. 1MOV97]. and [KPS02] discuss modes of opera- 
Lions. fVau06] and [5u06f£ke thorough discussions of stream Ciphers. 

WebSites (T) 

The following wehsites B ive more information about topics discussed in this chapter. 

http://wvfflf.iil .nisi, gov/fi [ispubfi/tipB 1 -fiW 
4=n wiki«dia.or^wild/A5/l O 

— 



Shp^ 




TERMS 



AVI 

cipher block chairing (CRC) mode 
cipher feedback rCFB) mode 
ciphcuext stealing {CVS) 
counter (CTR) mode 
clecUonic codebook (ECB) mode 



o 

Global S^tcm for Mobile Commuflicatiori (GSM) 

initialifcaiiAn vector (IV) 

mode of op^^oti 

output feedbacQoi 7 ])) niode 

ROt >£> 



8.6 SUMMARY 



□ m real-life applications, ihe text to be enciphered is of variable *i*e nnd normally 

ri(t „ have been devised to encipher text of aity tffejjj employing modern block 
ciphers. Five modes of operation were discussed in this chapter. 



:HA PTER 3 ENCiPUffewgNT USlNt ; MOD EJOT SYMMETRIC KEY CIPHERS 

Zl The simples? mode of operation is called dte electronic code-book (ECB) mode. 
The plain tesrli^iyided into N blocks. The block size is n bits. The same key is 
used to encrypt decrypt each block. 

□ In cipher block c^nirtg (CBC) mode, each plaintext block is cxclusive-ored 
with the previous *i|!}Lertext block before being encrypted. When a block is 
enciphered, LheblocKiMenu but a copy of it is kept in memory to be used in the 
encryption of the ncxNuorit. The sender and the receiver agree upon a specific 
predetermined initiali^Mon vector (IV) to be exelusive-ored with the first 
cipherte&l block.. 

□ To encipher small data uruts^real-iirne processing, cipher feedback (CFB) mode 
was introduced. CFB uses a starfj^rrd block cipher, suelias DES orAES. to encrypt 
a shift register, but uses the- exciusc^e-or operation to encrypt or decrypt the actual 
data units. CFB mode uses block cipj^fs> but the result Is a stream cipher because 
each data unit is enciphered with a Siffee^nt key. 



Ti5 f 

□ Output feedback (OfLJ) mode is very ssjh liar io CFR mode, with one dil Terence. 
Each bit in the eiphertcxt is independ&ul of the previous bit or bits. This avoids 
error propagation, instead of using the jSj^ious cEphcriext block. Of 13 uses she 
previous key ns feedback. 

□ In counter (CfR) mode, there- is no feedbael^pie pseudorandoirmess in the key 
^ream is achieved using a counter. An ft- bit counter is initialized to a predeter- 
mined value (IV ) and incremented based on a predated Pile. 

□ To encipher small units of data, such a* characterVo^ii^ several stream ciphers 
have been designed from scratch, These stream eipjfes are more efficient for real- 
time processing. Only two p we stream ciphers were dOissed in this chapter RC4 
and A 5/ 1. 

U RC4 is a byte-oriented stream cipher in which a byte {& bits) plaintext is exc] usive- 
ored with a byte of a key to produce a byte of a cipherte^t^se secret key, from 
which the one -byte keys in the key stream arc generated, captontain anywhere 
From 1 to 236 bytes.'Ehekey stream generator is based on the permutation of a state 
of 256 bytes, C 

□ A_Vl is a stream cipher used in mobile telephone communication* A 5/ 1 creates a 
bit stream out of a 6^bit key using three LFSRs, Q 



8.7 PRACTICE SET 

Reviuw Questions 

1, Exp lain why modes of operation are. needed if modern block ciphe rs are to be used 
forencipherment. 

2. List five modes of operation discussed in this chapter. 
1. Define ECB and list it# advantages and disadvantages. 
4, Define CDC and list its advantages and disadvantages. 
5- Define CFB and list its advantages and disadvantages;. 



SECTIONS.? PRACTICE SET 147 

% 

JS* Define OFR and list its advantages and disadvantages. 
Trjpeline CTK and list its. advantages and disadvantages. 

3, vB^idc the five modes of operation into two groups:' those that use the encryption 
ai|^ccryption functions of the underlying cipher (for example, DES or AES) and 
lii^>Aal use only the encryption function > 

9. DiviJla^he five modes of operation into two groups: those thai need padding and 
those tnaido not. 

10. Divide trwrjjve modes of operation into two groups: those that use the same key for 
the encipfl^tEnt of alt blocks, and those (hat use a key stream for endpherment of 
blocks. y** 

1 1 . Explain the m^^r difference between RC4 and A 5/1 . Which one uses LFSRs? 

12. What is the size^ldaca unit In RC4? What is the size of data unit in A5/1 ? 

13. List the operation ^l&dcs that can be sped up by parallel processing. 

] 4, T .ist ihe operation m^fe! that can be used for enciphemient of random-access files. 

Exercises C\ ^ 

1 5 r Show why CFB mode crart^fra nonsy nchionous stream cipher, but Ol-li mode cre- 
ate* a syncbn mous one. \ 

16. hi CFB mode, how many :w.- ^il I Vk ^ed by h single bi" urror in transmission J 

17, In ECB mode, bit 17 in uiphcitcxtkloek; 8 is corrupted during trans miss inn, Find 
the possible corrupted bits in the^^jSytintexl. 

IS. In CBC mode T bits I? and IB in ci^leVtcxl block 9 arc corrupted during transmis- 
sion. Find the possible corrupted bits^the plaintext. 

19. In CFB mode, bits 3 to 6 in ciphertext tofi^k 1 1 are corrupted (r = S). Find the pos- 
sible corrupted bits in the plaintext. N ^^J\ 

20. In CTR mode T blocks 3 and 4 are entiielvjg^rupted. Find die possible corrupted 
bits in the plaintext. 

21. In OFB nuHle, the entire ciphcrtext block 1 1 fcH^wrupted (r = S) F Find the pos-sible 
corrupted bits in the plaintext. \ 

22. Prove tiiat the plaintext used by Alice is recovered by Bob in CFB mode. 

23. Prove that the plaintext used by Alice is recovered l(y > feob in OFR rnode- 

24. Prove diat the plaintext used by Alice is recovered by(^b in CTR mode, 

25. Show the diagram for encryption and decryption in thV^SB mode when r =■ n. 

26. Show the digram for encryption and decryption in the OFB mode when r = tl 

27. Show the processes used Jbr decryption algorithm in FCB mode if eiphcrtexl steal- 
ing (CIS) is used. 

28. Show the encryption and the decryption diagram for ECB mode (only the last two 
blocks) when ciphmext stealing (CTS) is used, 

29. Show the processes used for decryption algorithm in CBC mode jf ciphertext steal- 
ing (CTS) is used, 

30. Show the encryption and the decryption diagram for CBC mode (only the last two 
blocks) when ciphertext stealing (CTS) is used.. 



UAPTER S maPHmsmr USING MODERN SYMMETRIC KEY a Pi 1FRS 

3 ] . Explain why fhete. is no need tor ciphectett scaling in CFB, QFB, and CTR modes. 

32, Show the effeeiS^ror propagation when ECB uses the CFS technique. 

33, Show the effect S^Aror propagation when CBC uses the CTS technique. 

34, The block ckaimnS&G) mwfc is a variation 6f CBC in which all the previous 
eipbertext blocks are^clusivc-ored with, the current plaintext block before 
encrypt i or. Draw a dia^m that shows the encryption and decry pli on, 

31 The propagming cipher Gtock chaining {FCBC) mode is a variation of CBC in 
which both ihe previouir^iitext block and the previous ciphertett block are 
exclusive-ored with Lhe cuncntplaintcxt block before encryption Draw a diagram 
thai shows the encryption an^ccryptioji. 

36, The cipher block chaining witnj)tecksum {CBCC) mode is a variation of CBC in 
which ail previous plaintext blo^are exclusive-ored with the current plaintext 
block before encryption. Draw a d^ram to .show the encryption and decryption 
and show the procedure, 

37. In RC4. show the first 20 ctemems bp^e key stream if the secret key is only 
7 bytes with values J n 2, 3 n 4, 5,6 S andVyou may want to write a small program 

to do SO. V^y- 

33. In RC4, find a value for the secret key that (joes not change the state after the first 
and second initialization steps, 

39, Alice and Bob communicate using RC4 for secgecy^with a 16-byte secret key. The 
secret key is changed each time using the reuui^jfo definition K t = (K r _i + K^ 2 ) 
mod 2 m . Show how many messages they tan exc^We before the pattern repeats 
itself. 

40. In A5/ 1, find the maximum period of each LFSR, 

it. In A5/1. find the value of the following functions. In^cWlUase, show how many 
LFSRs are clocked. ^\ 
a. Ma jority ( 1 B 0. 0) 

♦ h. Majority {0 n l n I) O 
c. Majority (0,0,0) O 
iS. Majority (I, L. L) • 

42. In AS/ i a find ari expression for the Majority function. Q\ 

43. Write the decryption algorithm in pseudocode for LiCB mode, Q 

44. Write the decryption aJgorithTD in pseudocode for CBC mode. v ^> 

45. Write the decryption algorithm pseudocode for CFB mode. 

46. Write the decryption algorithm in pseudocode for OFB mode,. 

1 

47. Write the decryption algorithnun pseudocode for CTR, mode, 

48. Write an algorithm for the shiftLefi routine used in Algorithm 8.4. 

49. Write an algorithm for the selectbefi routine used in Algorithm 8,4. 

50. Write an algorithm for the concatenate routine used in Algorithm 8.4. 





Asymmetric- Key Enciphe rment 

In Chfipt^r L, we^' that cryptography provides three; techniques: symmetric- key 
ciphers h asymmetrically ciphers, and hashing. Part Two is devoted to a sym metric- 
key ciphers. Chapter^ reviews the mathematical background necessary to understand 
the rest of the chapicr^Mn^ii^ part and the rest of the book. Chapter 10 explores the 
contemporary asymmetrfc^y ciphers. 

Chapter 9v Mathematics^ Cryptography: Part Hi 

Chapter y reviews some mathematical concepts needed for understanding the next few 
chapters. Il discusses prime numbeVsgAd their applications in cryptography, It introduces 
primality test algorithms and theirfeffscjencies- Other topics include factorization, the 
Chinese remainder theorem, and quadratic congruence. Modular exponentiation and log- 
arithms are also discussed to pave the w^for discussion of public-key cryptosystcms in 
Chapter 10. 

Chapter 10: Asymmetric-Key Cryptography 

Chapter 10 discusses asymmetric-key (public-t@J ciphers. It introduces several cryp- 
tosy stems, such as RSA n Rabin, FJGamai, and HC^fuentions most kinds of attacks for 
each system, and presents recommendations for preventing those attacks. 



t 




matics of Cryptography 



rnies and Related Congruence Equations 

\ 

Objectives 

This chapter has scve^ 'objectives: 

□ To introduce prime<{ftmben? and their applications in cryptography. 

□ To discuss some prirrfj^ Lest algorithms and their efficiencies. 

□ To discuss factorization ithms and their applications in cryptography. 

□ To describe the Chinese ran ai rider theorem and its application, 

□ To introduce quadratic congpu&nce. 

□ To introduce modular exponentiation and logarithm. 
Asymmetric-key cryptography, wWctt we will discuss in Chapter 10, is 



on some topics in number th rondel uding theories related to primes, 
factorization of composites into primfc^jodular exponentiation and loga- 
rithm, quadratic residues, and the Chinese^nainder theorem. These issues 



arc 



discussed in this chapter to make Chapel G easier to understand 



9.1 PRIMES Q 

Asynurelric-key cryptography uses primes extensively. llQspic of primes is a large 
part of any book on number theory. This section discusses\rtp]y a few concepts and 
facts to pave the v/ay for Chapter 10. 

Definition 

't he positive integers can be divided into ilirec groups: ihe number 1, pri mes, and com- 
posites as shown ha Figure 'II. 



■ 



251 



RAFTER 9 MA THEA&BtCS OF CR YPTOGRAPHY 

4* 



Figure 9,1 Three jerqups itffiQSitfw uiingam 





inEegere 



a 

Exucsly gup divisor 



Primes 



Composites 



F.XKtLy two divlsora More than Iwo divisors 



A positive integer is a prime if tmd if it is exactly divisible by two imagers, I and 
itself. A composite is a positive integeKpmh more than two divisors. 

X s 

A prim.fr 5$ divisible o^tyb y itseJf and t. 



Example 9 J 

What is die smallest prime? 

Solu turn 



6 



\5 



The smallest psrinie is 2, which is divisible by 2 (itself) aml^frow that tbe integer 1 ift not a 
prime flcvunling so ihn dct milium, because a prime nmst be divisfWf by two different integers, no 
imire, no less. The Integer I Is divisible only by itself; il is not a 



O 



Example 9.2 

List the primes smaller ih.m 10. 

Solution ^ 

There are four primes less than 10: 2, 3 n 5, and 7, It is interesting to note thai ihe pcFCGinitfgc pjf 
primes in the range I to 10 is 4Q%. The jsereeutage decreases as the range tncrea^s^. 

O 



Two positive integers, and (?, are relatively prime, or cop rime, if gcd (a, L Note 
that line number 1 is relatively prime with any integer. Up is a prime, then all integers 1 
lop - I are relatively prime to p. In Chapter 2, we discussed set 2 n * whose members are 
ah relatively prime to n. Set Z p * is the, .same except that modulus (p) is a prime. 



Cardinality of Primes 

After the concept of primes has been defined, two questions naturally arise: Ts there a finite 

number of primes or is the list infinite? Given a number how many primes ate smaller 

than or equal to n! 
i 



SECTION 9.1 PRIMES 



253 



Infinite- Number of Primes 

e number of primes is infinite. Here is an informal proof: Suppose thai the set of primes 
>i55nite (limited), with p as the largest prims. Multiply the set of primes and call the result 
1^* 2 x 3 x - ■ xp. The integer (P 4 U cannot have a factor q£p r We know that q divides R 
divides (F + 1) K then q divides (P + 1) - P =a ] The only number that divides 1 is 1, 
wrufiri^q not a prime. Therefore, q is larger than 

— 0^ 

There is an infinite number of primes. 

^_ : 

Example 9*$f 

As a trivia] cxarnp?e> assume that me only primes itre in the set [2. 3. i, 1 ] I, 13, 17}- Heie P = 
5 3 05 1 1> and P + I ^ 05 1 1 . However. 51051 1 - 19 x 97 x 277; none of (frese primes were in the 
original h'sn Therefo^tf^hese are three primes greater than 17. 

Number of Primes ^ 



To answer the second question, a function called %{n) is defined that finds the number 
of primes smaller than orS^mal to n. The following shows the values of this function tor 
different n T s. O 

But if n is very large, how cWwj calculate rc(n)7 The answer is that we can only 
use approximation. It has been shoVfi that 

[ji/(In*)l < Wl < [n/(bi n - 

Gauss discovered the upper limit; Lagrange discovered the lower limit, 

Example 9.4 

o 

Find itiB number of primes less than 1,000,000. 
Solution 

The approximation gives, the range 72,383 to 78,343. I?ie^tuaf number of primes is 78,498. 

Checking Tor Primeoess O 

The next question that comes to niind is this; Given a number n, how can we determine if a 
is a prime? The answer is diaL we need to see if ilie number is divisible by ail primes less 
than Jr\ We know that diis method is ineffieient, but it is a good start. 



Example 9*5 

Is 97 a prime? 

Solution 

The flour of V^7 = 9, The primes less than 9 are Z r 3 r 5 r and 7, Wn nwd to sec if 97 is divisible 
by any of fiiese numbers, It is not, so 97 is a prime. 



VAPrER9 MATHZMy^S OF CRYPTOGRAPHY 
ExompteP.6 




eed to check 2, 3. 5, 7, 11, I 3, and ] 7. r Hiy numbers 2, 3, arid 5 do 
fore 30] is not a prime. 



Is 301 a prime? ^\ 

Solution v ^ 

The floor of ^301 = 17. 
not divide 301 , but 7 does. r 

Sieve of lirafosthcnes 

The G reek mat hemaliciaii lira^S^henes. devised a oiethod to find aJj primes, less than 
n The method h call^ the »v<A Eratosthciies. Suppose we want to find all prime 
Jess than 100. We wnte down all tl^humbers between 2 and 100. Because ^TOO = 10, 
we need to sec if any number less^i 100 if? divisible by 2, 3, 5, and 7. Table 9.1 
shows the result. 

Ta ble 9. 1 jjfejtai $ Eratosthenes 

Y* 1 




The following shows, the process: 

1 . Cross out all numbers divisible by 2 ^except 2 itself). 

2. Cmss (sue all numbers divisible by 3 (except 3 iiseff)- 

3. Cross out nil numbers divisible by 5 (except 5 itself). 
4 r Cross out all numbers divisible by 7 (except 7 itself), 
5. The numbers left over are primes. 

Euler ? s Phi -Function 



o 



Euler^s phi-functioD T ^fn), which is sometimes called the Eider's fcotleut function plays 
a very important role in cryptography, the junction finds the number of integers that ate 
both smaller than n and relatively prime to n, Recall from Chapter 2 that the set 2 n * con- 
tains die numbers that are smaller than n and relatively prime to n. The function cal- 
culates the number of elements in this set. The following helps to find rhe value of 

2, $(p) = p -Hip is a prime. 



'HAPTER 9 MA THEMJ^CS OF CR YPTOQRA PHY 

Format's Little Theorem 

Format's little Ih^ojfem plays a very important role in number theory and cryptogra- 
phy, We introduce tvad^ersions of the theorem here. 

Fimt Version 

The first version says that i^)is_a prime and a is an integer such that p does not divide 
a T then a?~ l = 3 mod p. (T\ 

\> 

Second Version v > # 

The second version removes the- cttrifttion on a. It says thai if p is. a prime and a is an 
in ceger H then o? = a mud />. ^ r\ 

Applications \ + 

Although we will tfec some applications of iHfe theorem later in this chapter, the theo- 
rem is very useful for solving some problem^ 

Exponentiation Fermat's little theorem sometimes is helpful tor quickly finding a 
solution to some exponentiations 'Die following e^nples show the idea, 



Example 9.12 

Find die mtiii of 6 W mud 11. 



O 



Solution 

Wc have 6 10 mod 3 ] = I . This is the first version of Fennal's little 



Example 9 J3 



12 



: mcDrani where p- J 1 . 

o 

Solution » 

Here the exponent (12) and die modulus (11) mic not [he same. With substituted this can he 



h ind die resole of 3 imxt 1 1 . 



3& mod II = O u x 3] fflAd.ll^ (3 ]], =rawd 1 i> (3 m 




Multiplicative Inverses A very interesting application of Fennat's theorem is in 
finding soms multiplicative inverses'quickly if the modulus is a prime. If p is a prkue 
and a is an integer such that /? does not divide a (p \ d), then n - * mod j? s= mod p. 

This can be easily proved if we multiply hoth sides of the equality by a and the 
first version nf Fermat's. Utile theorem: 



■ j . a" 1 mod/M * X a ^ 2 mod.p = a H rr^ - J unrip 



SECTION 9. 1 PRIMES 255 

3. X n) = 0(m) x 0(n) if nj arid H are relatively prime, 
* ^/ jL } = - P^ 1 tf is a prime, 
H^Ein combine the above four rubs to find the value of <|>(n)i For example, if n can bfc 
faired ais n = x p^x — x p/* then we combine the third and the fourth rule to find 

It irf^cry important to notice that the value of for large composites can be 
lound onbKf the number n can be factored into primes. In other words, the difficulty of 
finding 0OTdepends on the difficulty of finding the factorization of n, which is dis- 
cussed in du^nWt section. 



Tin* diffkult^nj)limljnjr tyn) depends on the difficulty of finding the factorization of n. 

3* 



Example 9 J 

What is the value; y f dK 3 

Solution > 

Because ] 3 is a prime, 0(13) M^-t) = 12. 

Example 9.S (S^ 
What is the value of *{lfl)7 # 

Solution v O 

We can use the tlunJ rule: #10) = $(2) a^fo = 1 x 4 = 4 T because 2 and 5 are primes. 

lucample 9,9 0_ 
What is the value of 4(24U>7 ^-^^ 

Solution v^S 

We can sn rilu 240 = 2* * 3 1 x 5 1 * Then 

*K240] = (2' -2 3 ) K (3 J - 3 [ ^5 i -5°) = 64 

Example 9. 10 • 
Can we say that $(49) = $p) x #7) = 6 k 6 = 36"? O 
Solution 0> 

No. The third rule applies when m and n are relatively prime Hprt 49 7 2 . We need tu use she 
fourth rule: $(49) =7*- 7 3 = 42. 

tCrample9.il 

_ 

What is the number of elements in Z]4*? 
SoLutjun 

The answer is <K N) =* <j>(7) x #2) = 6 x I ^ 6, Ihc members art 1 , 3, 5. 9, 11 , and 13. 



Interesting ptmk [f n t> 2 P the value of $(n) h even, 



HAPTER 9 MA THEtvf&KS OF CRYWOTrRAPH Y 

Fermal ? s Littje Theorem 

Kermsit^s little Ih^j^iWi plays a very important role in number theory and cryptogra- 
phy, We introduce Utfd^ersions of the theorem here. 

First Version >rS 

The first version says that i^)is_a prime and a is an integer such thatp does not divide 
a, then a^ 1 = I mod p. (S^ 

*> ' 

Second Ve mion ^> # 

The second version removes the conation on a. It says that if p is a prime and a is an 
integer, then ^ = .a mod /?. ^rv 

Although we wiEt see sonic application!* oTil^ theorem later in this chapter! the theo- 
rem is very useful for solving some prublcm^^^ 

Exponentiation Fermai's: little theorem somJEjirnes is helpful for quickly finding a 
solution to some exponentiations. The following e^nples show the idea. 

Example 9.12 "(5 
Find the result of 6 1 ? mod 1 1 . \^ 

O 

Solution (\ 

We have 6 1W mod [ ] = [ . This fa the JirsE version of Feimat's litUe m^^m where p = 1 1. 

Example 9J3 

Find the result of 3 s2 mod I L . v 

Solution » 

Here the exponent (12) and the tnodulua are not the same. With subsBity^TDjL this ean be 
solved ussjir Format's little thenrem. 




1? mod 1 1 « (3 n tf^jml l]*r0M m>& IB (3 mod.UH -(3 > ^>d II ■ ■ - 

Multiplicative Inverses A very interesting application of Fertnat's theorem is in 
finding some multiplicative inverses quickly if the uhkIuEus is a prime. \f p is a prime 
and a is an integer such that p does not divide a(p\a) f then a -1 mod p = a** -2 mod p. 

This can be easily proved if we multiply both sides of die equality by & and use die 
first version of Fennat's link theorem: 

■ -7 . ■ I ,> . 

■1 



■Mi - <•» 





- 1 umlp. 











SECTION 9. 1 PRIMES 257 

This application eliminates the use of extended liuclidean algorithm for finding 
?ome multiplicative inverses. 

Hie jui^w^ to muliipHcau'vB inverses modulo a prime can be found without using the extended 
End idcar**riWritJirn ; 

u. FT\Mod 17 - S ]7_1 mod 17 = S 15 mod 17 = 15 mod 17 

& 5 _l i(^23 = 5^ 3 mr*i23=5 2L mod 23 = 14 mod 23 

o, 60" 1 nY^)lOl = 60 101 " 2 mod 10! = 60 w mod 101 = 32 mod 101 

d . 22^ 1 mo<L2?l 1 = 22** [ ~ 2 mod 21 1 m 22 209 mod 211 = 48 mod 2 1 1 

Eulcr's theorem can betougbl of as ii generalization of Pertnat's little theorem. The 
modulus in Ulc dermal mfeop™ is a prime, Che modulus in Ruler's theorem is an integer. 
We introduce: two vcrcionsxrfjhis theorem. 

First Version ^ 



The first version of EuIct's theorem is similar to the first version of the Format's little 
theorem. IE a and n arc cajninae* lht.n^$^ = 1 (mod n\ 

Second Versuyn \^ 

TliL -CL-.-iiid vcrsum of lei's theorem {r.< '.vcc;ni v, for ihe lack ol uiiyEiamc) is sisnifor 
to the second version of Format's little tl^jferu:; it removes the condition that a and 12 
should be eopriroe. If n - p x ^ o < and ^^yynteger, then a* * ^) + ] = a (mod ji). 

Let us £ive an informal proof of the sejpbd version based on the first version. 
Because a < tj h three cases are possible: 

t. If a is neither a multiple of p nor a multiple af^^then a and it are coprimes. 



2, IT £r is ei multiple of p {a = i>t p), buE not a multiple or^^ 



mod : * i±X<0 mod ? }W mod q - 1 , ^ ■ mod g = 1 



: * X *(n)+ 3 ■ .^4. / j.x A^"Jt ■' > a . fc x *' s J = u-inod - ■ f Cor^jytieFjce- relation)^ 



Solution 

SVe have 6 24 mod 25 = 6^ ■ 1 mod 35 = ! 



NAPTER 9 m TJlEI&folCS OF CRYPTQGRA P?IY 

% 

3. If a is a nuimpk ot q {a s i x q\ buL not a multiple erf p, the prool is the same as ior 
the second ca^e^Dut the roles of p and q are changed.. 

The second version theorem i.q used En the RftA ervptcwivsteni in Chapter ID. 

Applications ^ 

Although we will see some a^c£tQon£ of Huler's later in this chapter, the theorem is 
very useful for solving some pr^M^ms. 

Exponentiation Buier's iheorci^Ajmetimcs is belpi'ul for quickly finding a solution 
co some exponentiations, The folb^i^ examples show the idea. 

Example 9. 15 

Find ihe result mod 35. V 

% 

I.xample 9. J 6 r\ 
Find the result nf 2 [ft 1 mod 77. 

Solution • \ 

If let * = I on the second vision, we have 2Q^ 3 mod 7^20 mod 77) f.20* 77HS mod 77) 
mod 77 = (20)(20) mod 77 = 15. ^> 

Multiplicative Inverses Eulers theorem can be used toCfi^d multiplicative inverses 
modulo a prime; Euler's theorem can he used to find multifj^^Live inverses modulo a 
composite. If n and a are coprime, then 1 mod n = a^^~ l mqd^j. 

This can be easily proved if we multiply both sides of the e^£3jky by a: 

O 

Example 9A7 O 

The answtrs to mulliplicalivc inverses modulo a composite can be found with ising the 
extended Euclidean algorithm if we know me factorization of me composite: <0 

a. 8" L mod 77 = g** 77 ^ 1 mod 77 = 8 39 mod 77 = 29 mod 77 

b. T l mod 15 = 7+< l5H mod 15 = 7 7 mod 15 = 1 3 ioo<t 1 5 

c. atT 1 mod lB7 = 60* <l,,7J " 1 jTKKi 187=60 lS *mod 187 =53 mod 1S7 

d. tiiod 100 = 7l^ ,00 ^ s mod LOO = 7i 3 * mod 100= 31 mod 100 



Generating Primes 

Two mathematicians, Mer&enne and FermaL, attempted to develop a formula that could 
generate primes. 



SIX mOW./ MIMES 253 

\ 

^ Mersenne Primes 

* pMersenne defined the following formula, called the Meraenne numbers^ that was sup- 
^jjgaed to enumerate all primes. 



4-. 



= 2P - 1 



If ^ iirufc^above formula is a prime, then M p was thought to be a prime. Years later, it 
was pro thai not a] 3 numbers created by the Mersennc formula are primes, The fol- 
ks wing lijJfOoiru: Mcrsenne numbers. 



M „ = 2 11 -1 =' 2^*^ Not a prime (2047 - 23 * 59) 



Ex- 1 



M !3 = 2 13 .- 1 * 3101 (\ 



■f 17 =3!'- 1 = 13107] > 

6 

Tt turned out that M r [ ij^not a prime. However, 41 Merseime primes have been 
found; the latest one is M|^g^ 5&3 , a very large number with 7,253.73.1 digits. The 
search continues. • > 



A number itl the form M p - 1 is called a Mersenne number and mny 

or irWr not be a prime. 



Fenmti Primes X^) 

Fermat tried to find a Formula to generate primes. The following is the formula for a 
Fermat number: ^ 



7" 



Kermat tested numbers up to F^ but it turned out ihaf<r 5 . is not a prime. No number 



% 

iiuft is m 



Ft =4294967297 -01 xCTOW 17 Not i prim* 



greater than F 4 has been proven to be a prime. As a matter of tact manv numbers up to 
F 24 have been proven to be composite numbers. 



■ 



:hafter 9 wmmfcm of crvptogeapmy 



9 2 PRIMlfiJTY TESTING 

4c ™dcm number ai^est it 10 be sure th* .t s * P ^ ^ ^ 

pl * ^ or « ft a £ ^aeve1opm,L (one of which we dl^ss n 

qxiently ifi cryptography. Hf^er, recent Qe e y 

this section) look very pr™m< , & v lwn bmll d categories: 

Algeria, thai d«l S ™ C mCmbeiS ° f b0,h * 

deterrnM*tk: algorithms and ^'T.J™,,,™ &iv<;s a correa answer; a 

,0^ m mm m A de ^Thit^fmS S <** but not all or 
probabilistic algorithm give, an \ ™ ItonnaSlv 1csS officii dian 

She time. Although a deterministic ^onthm is M it norma 
U, e corresponding probabilistic one. \ 

Deterministic Algorithms V> « 

A «Npfcfe>c primary Lesung t f^^S^ od Ls wer, S o Efficient tf 

newer algorithm looks more promising. *Q 

Divhibiliiv AlgorUnm { - 

m ^ost elementary deter.ninistic t.vL for prunahlyi 
rfivi-mrs all numbers smaller that JS. If any of *b* n 

' The al 8 ori.hm can M impnwdH ^" n & °* "^Si* d art ta,«ic op«- 




divisibility test, We use as 

K divides then n is com - 



.h * i ■ t . where fiv, in i |s <- lj^"^— 
rilhm is inferrible (imractable) if % « kn e < 



The Hi*|*«*- 




nU mber of bit apcration* n^cl to ™ divisibility-^ 



Example 9.18 

Assume n has 200 bits. Whai is the 
algorithm 7 

Solution . .V 1 ^ ^^is that the algorithm needs 

needs 2™ lhfi ^ dn ^ 



L 



SECTION 9, 2 PRIMA IJTY 261 

^l(iorithm !J . 1 Pseudocode for the divisibility test 

^^^M ~ //«i 5t | lenU mbertot est r W prim a ii 1 v 



return Ir f? pWfKiv" 

1 



■ 



A/FS Algorithm V y^ 

In 2002, Agrawal. Ka\8^nd Saxcna announced that they had found an algorithm for 

pnrnahty teS ung WJth pfc™^ bit-operalim lime complexity of O((\oz^) u ) The 

algorithm uses the fact thVTx - a f - ^ al m ™i « r* -™ ■ ■ * h 

r.T - ^ iJc ' ^ a; mod/?. It is not surprising to see some 

future retirements make mi<aW t hm the standard primality test in mathematics and 
con-puier science ^\ 

Example 9.19 fi) 

Asa,™ n has 200 MH, What is the na.ubtrn^t open*™ needed lo m„ the AKS algorithm? 
Solution \~) 



The im-openitio, < oomfcng of ,h.s a i £ orithV£o((]og 2 ,, h ) l2 >, This means thai the algorithm 
i ion bi t operations per second, the algorithm needtfohjv 40 secoads 

Probabilistic Algorithms *Q 

Before theAKS algorithm, all efficient methods formality ualn* have been proha- 
b,hst,c lhe, e mcl h 0 ds may be used for a while until the AKH is formallv accepted afi 
uie standard. A probabilistic algorithm doe* not guarantee the correctness of the result 
However, we can make the probability of error so small thft is mm certain that the 
a Igor, th m has returned a correct answer. The bit-operation c^dcxity o! die algorithm 
can become polynomial if wc allow a small chance for misfatA A probabilistic a w 
nthm m this category returns either a prime or a composite 4d on the follow ing 

a. If the integer to be tested is actually a prime, the algorithm definitely returns a 
prime. - 1 

b. If the integer to be tested is actually a composite, it returns a composite with prob- 
ability 1 - s, but it may return a prime with the probability e, 

l1U r P r ,l!ilbility 0J ' mi5takc Ciin 'mproved if we run ihc afeSrlthm m# char once 
will, different parameters or using diilcrent methods. If we run (he algorithm m time* 
the probability of error may reduce to 



4 

t AFTER 9 MA THm&bgS OF CRVPTOGRA PHY 
I'CTtftiti Test 

"Hie first prohabilisLj^|ic:th»d we discuss is the FerniM primality test Recall the Format 
little theorem 

V4tA is a prime, then « n ] - I mod ti* 



Note thai (his means that if (Sk a prime, the congruence holds. It does not mean that if 
the congruence Isolds, n is a The integer c^ti be a prime or composite. We can 

define she =ol lowing fi| ihe L : eriiKf£)*;st 

Ef n i.j5. a prime, a n -Y = 1 mod ft ^A, 
If n is si composite, il is possible that W = 1 mod n 

A prime passes the Perm at test; a ci^Kisite may pass the Fermat test with proba- 
bility e. The bit-operation complexity of F^pftal test is the same as the complexity of an 
algorithm that calculates exponentiation. Lal^iti this chapter, we introduce m algo- 
rithm for fast exponentiation with bit-opemtion> complexity of when; n h is the 
number of bits in n. The probability can be imprt^ed by testing with several bases (a }t 
#3- and so on). Each (est increases the probflb(fitV that the number is a prime. 

Example 

Does the number 561 pass the Fermal test? 

Solution 

Use hzw 2 

. 2 561 " 3 ^ 1 mod 561 ■ /"^ 




The number passes the Fermat test, but it is not a prime H bixause 561 S7r 

Square Root 3$$jf O 

In modular arithriu;lu; t il~n is ft prime, the square soot of I is either +1 I. Lf n is com- 
posite^ the square root is +1 or —I, but there may be other roots. This is known as the 
square root primalily lesL Note that in modular arithmetic, -1 means ^^1^ 

ff rt is ;r prime, -v' 1 mod a = ±1 , 

If a is a composite, Jl mod = ±1 and possibly other values. 
Example 9*21 

What are the ^]iuirv rw»te of 1 mod. n if n is 7 (a prime)? 
Solution 

The only square roo^ are t and ^1 . We can see that 

t z =]RYod?' j ^1)^=1. mod -7 " - ■ . 

2 2 ^4 mud 7 (-2) z = 4 

3 2 =Zmotf1 ' M#~2 mod 7 




SECTION 9 J PRIMA IJ1Y HASTING 263 

IW mat we don'i have To l£*t 4 H 5 and 6 beeause 4 = -3 mod 7. 5 = -2 mod 7 and % h -\ m<xJ 7, 
Kxain^e 9.22 

Wlisu a^sl^c square pfcpjs of I mod* if a is a fa composite)? 

Sol ii lion i 




There are ffyr€>lu [ions: 1, 3. 5, and 7 {whirh is -1 ). Wc can see that 

[ a =lm«IB(^ ■ (-l)VlruodE 
3 2 =1 mod 8 (^) 5 2 = lnrodS 

Example 9.23 v ^> * 

WliiM iirc the sqLtftTt Tioojrfjf 1 mud n if n 17 f a prime)? 

Solution 

There nrc only swu ^diilions^^nd -1 

p= I mod 17 H)^Lpxt 17 

2 ? =4 mod 17 (-2) z =<jW 17 
3? = 0 modi 7 . (^) 2 = 9(^.n 

4 2 » 16 mod 17 M) 2 = lfiW^ E7 

5^ =8 mod 1 7 (-5 f ^ 3 mod 17 

G 2 ^ 2 mod 17 (-b) 2 ^ 2 mc*{$ 

(7)*= 15 mod 17 l-7) 2 = 15 mod ;7 

<JW^ h 3 3 mod 17 t-S)* = 13 mod 1^^ 

Note th^c There is nsi jfletf to check usurers lar^f^um 8 because 9 =-8 mod 17 and so on 

o 

Example 9.24 ^ 
Vftidk are Lne square roots of 1 mod n if n is 22 (a eom^te)? 

Solution X^) 

Surprisingly, There are only i^o solutions, + 1 and -1, aitho^ 22 is a composite. 

I 2 = I mod 22 
i-\ ) 2 = 1 mod 22. 



Although this test, can tell us if a number is composite, it i> difficult to do Lhe testing. 
Given a number n t a}] numbers km than n (except 1 and n -1 > WsA be squared to be sure 
that none pi th™ is 1 . TftS test can be used for a number (not +1 a^l ) that when squared 
in modulus * has the wtifcm I. This fact helps in the Milter-Rabin Less in the jicxi section. 



Mitler-Rabin lest 



The Miller- Rabin fjrimulity tesl combines the Fermat test and the ^^re rnot test m 3 
very elegant way to find a strong pseudo-prime (a prime with a very high probability), Tn 
this test, we write n - 1 as the product of an odd number m and a power of 2: 



1 nJt 



The Ferniat test in base a can he written a& shown in Figure 9,2, 



71 A PTER 9 MA t 'H§faA TICS OF CR YFTOGKA PHY 

- — % 

Figure $ r 2 ftt&4yehiiitl Fennut primuiily Jtf.TJ 



—4: 




<s>. 

3Jt other words; instead o($kculating a" -1 (mod rt) in one step, we can do it in it + j 
steps, What is the benefit of iistfjg^ + 1 steps instead of just one? "Die benefit is Lhai h in 
each step, the square root le^t carptfe performed. If the square root test foils, we stop 
and declare n a composite nuinber^jk each step, we assure- oorself thai the Ferrtiat test 
is passed and the square root test is sritUfied between all pairs of adjacent steps, if appli- 
cable (if the result is 1)_ V3 * 

Initialization: ^ J< 

Choose a base a and calculate T ^ in j**ich m = (n - 1) / 2* 

a. Ff T is +1 or —1 p declare that n is a sirm^pscudoprinie and stop. We say thai 
r; has passed two tests, the Fermat cesi and the square root test, Why? 
Because if T is ±1, T will become I in tfte next step and remains I until it 
passes the Fermat test. In addition T has prescd the square root test, because 
T would be 1 in the next step and the squan^ra>l of 1 {in the next step) is ±1 



(in this step), 



% tf T is anything else, we are not sure if n is a prin^r a compos ite p so we eon- 
linde to the next step, 

Step 1: ^ 

We square T. " Q 

a. If the result is +1, we definitely know that thia Fermat le^ftwfll be passed, 
because T remains 1 far the succeeding tests. The square nw.it test, bowever T has 
not been passed. Because T if 1 in this step and was something nLher than ±1 in 
the previous step (the reason why we did not stop in the prevrmujb stcpX we 
decJ are n a CO] n posite an d stop . U . 

b, If the result is «l h we know that n will eventually pass the Fenaat tes^^e also 
know tbnt it will pass the square root test because T is -L in this step and 
becomes I in the next step. We declare n a. strong pesetidoprhne and stop. 

c* If T is any tiling else, we are not sure whether we do or do not have a prime. We 
continue to the next step. 



w 2 to k - I: 

This step and ah step> until s(ep k - 1 are the same as step 1 , 



A SECTION 9.2 PRfMAUTY TESTING 265 

Thk^p is not needed. If we have reached this step and we have not made a decisis 
this S J^,I1 ncH help us. If the result or this slcp is l t the Fenijai test is passed bui 
becpuse^esuUof the previous step is the square root test is dol passed After 

siep i - ] ^fwc have not already stopped, we declare that n is composite. 

— — <S> 



The MilMabh. l es t need* fron] * l(;p U to step A - 1. 



•Rubin fejf 



Algorithm S.Z^ws the pseudocode for the Miller- Rabin to 
A I jio r itl 1 rn 9.2 Pseu&Skmte for Miller 

Find m and * such that n -\] = ^ x 2* 
if ( T = ± 1 ) return 1 T a prime 

for ii <- I io k - I ) (^) ;fk p maximum number of slept 



if (T = +1) return "a composite 



if (T = -1 ) return " fl p™*? " 

I O 
return "a composite " 

% 

There exists a proof thai each time a number pg(S^s a Miller-Rabin test, the proba- 
bility that it is not a prime is 1/4. If the number passes^ tests (with m different bases) 
the pro babi t Hy Lh at it is not a prime is ( I /4)™ ^ 

Example 9.25 O 

Does s he numter 56 1 pass the M El Jcr-Rabi n test? 

Sol tit Son ^ 

Using base 2, let 561 - t = 35 x 2*. which means m = 35, k = 4. and a * 2 



- 



initialize ti fJ „. T = 2 S5 mod M1 ± m mod ^, 

* - 1 : T = 2©* mod 561 = 166 mod 561 

k =f 2: ' , T - I66 2 . mod '561 ■ 67 -mod' 561 

*i* T= 67 2 mod56i=+j modSCl _> a composite 

lixample 9.26 

Wc already know that 27 Is not a prime, us apply the Mi]l«-Rabio rest. 



it 

AFTER 9 MA TREfytVlCS OF CR YPTOGRA FHY 
Solution 

Wi|K base 2, let 27*- W= 13 x 2 1 , which men n Albans - iXk- U aisd a = 2. In this ca.se, because 
k - 1 = 0, fapWfepn\y lhe .mirlahzaifcon step: T = 2 13 modi $T = 11 mod 27. However, 
bceaiue the algorilhni v f^' , .:!r enters the iovp. ]T ierums *t composite. 

Example 9.27 v^S 

We know Lhai 61 is a prime, see if il passes the Miller-Rubin teat. 
Sobition 

We use base 2. v^S 

61-1 =15 x 2 s rrr= 15 * = ^y-2 
/n timliiuiltm; T = 2 fe 5 mod 61 = I VrruxJ 6 1 
jfc=| T= H 2 mod6L - -lUiod 61 4* a prime 

o ; 

Note chat ihe last rc&uh is 60 rtitjd 61, but wcNfnow mac 64J = — I Id mod nl . 

Reborn mended Vr i m al ity Test \X 

Today, one of the must popular prirnality tesns^eombination of the divisibility test 
and che Miller-Rabin test, Follow sag are the reownmended steps: 

1. Choose an odd image* 1 , lie cause all even integers (except 2) ^sre definitely 
eomposiEes. \y 

2. Do some trivial divisibility tests on some known parties such as 3, 5, 7, II, 13. and 
so on 10 be sure that you are not dealing with an oh\rfuys composite, if the number 
passes all of these tests, innvc to tfie next step. IE" tErisumber fails any of these 
tesls, go back to step I and ehoose another odd nuEnbwT^ 

3. Choose a set of bases for testing. A large set. of bases is pnprable. 

4. Do Miller-Rabin tests on each of the bases. If any of LhcinSftds, go back to step 1 
and choose another odd number, tf the test passes for all basU/tkelare the number 
a suoiJg pseudoprime. \ 



The number 4033 k a composite (37 x 109). Does it pass the recommended prirr^Tjjy cesn".- 1 

Solution Y *<^ 

L Perform the divisibility tests first. The numbers 2, 3, 5 H 7, ] I, 17, and 23 arc not divisors 
Of 4033. 

2. Perform the Mi Her- Rabin test with a base of 2, 403 3 - L = 63 x 2 b , which means m Is 63 
and k is 6. 

Initially bn; T 2 6J (mod 4033) a 3521 (mod 4033) 

A: =r 1 T s f*« 3521* (mod 4033) ■ - 1 (mod 4033) -> Passes 

3, 13 ui we arc not sati&Eied. We continue with another ba£e s 3. 



^\ SECTION y.J FACTORIZATION 267 

biMali^atloo: T = 3 tifl [mod 4033) = 355 1 (mod 4033) 

^i^> T = T 2 * 3551 3 (mod 4033 a 2443 (mod 4033) 

T - T 2 = 2443' 2 {mod 4033- = 3442 (mod 4033) 

* T * T s =3442? (mod 4033 & -2443 (mod 4033) 

* = T = T 2 a 2443 2 (mod 4033 m. 3442 (mod 4033) 

* =■ 5 v^L T a T* = 3442 2 (mod 4033 = 2443 (mod 4033) -^Failed (compete) 



CO 



9.3 FACTORIZATION 



Factorization has tfcran the subject of continuous research in the past; such research is 
likely to continue in^hjUuiure. Factorization plays a very important rule in the security 
of several public-key taypiosy stems (sec Chapter 10). 

Fundamental Theor^of Arithmetic 

According to The /'Uflrfamftite^TTtf orem o/^ririamefrtv any positive integer greater 
Cha.n orta can be written uniqueE^in the following prime factorization form where p^ 
P2^ "*Pk w primes and e\ % e 2 , -xY^ ace positive integers. 



There are immediate applications ^factorization, such as the calculation of the 
greatest common divisor and the least com^fj^n multiplied 

Greatest Common Divisvr X^) 

Chapter 2 discussed the greatest' common divi.sppf two numbers, gcd (a, &)■ Recall 
dial the Euclidean algorithm gives diss value, hnyfeis value can also be found if we 
know the faerorizatEon of a and 6, C 

Least Common Multiplier 

The least common multiplier, lem (a r b% is the smallest integer that is a multiple of both 
a and b. Using factorization, we also find (cm (4, b). 

* " P *' x ^ * -■ ■ X pjt 1 * f, = p/ 1 X fc " X - - - x V* 




HA PTEk 9 MA THEMAppS OF CK YPTOQRA PHY 

It can be proved that god (a, h) and Iccn (a t b) are related In ^ficji oihe i ^ shown 

Factorization Metii 

There has been a long search^ efficient algorithms to factor large composite num- 
bers. Unfortunately, no such peijete algorithm has been found. Although there are s%v- 
era! algorithms that ean Factor jritupber. none are eapable of factoring a very large 
number in a reasonable amount of\tme. Later we will see that this is good for cryptog- 
raphy because modem, cryptopygtcriipely on This fact. In this section, we give a few 
simple algorithms that factor a compoS^mimber The purpose is to make clear that the 
process of factorization is time consuming 

By far. the simplest and least efficient algontfifri is the trial division factor i nation 
met hod- We simply try all the positive inteWp^ starting with 2, to find one that 
divides tj. From discussion on the sieve of Eratestlienes:, we know that if n is com- 
posite, then it will have a prime p £ ,jn . AJgori^i 9.3 shows the pseudocode for 
this method. The algorithm has two loops, one onli|r arjft one inner. The outer loop 
J i rids unique factors; the inner loop finds dup]icates>8sf4 factor For example, 24 = 
2%3* The outer loop finds the factors 7 and 3. The inneH^op rinds that 2 is a mufti- 
pic factor. \ 

O 

Algorithm 9,3 Pseudocode for trial-division foeittrizaHon 



Trial Division Metlwd 



TYial_DmskHt_Factori£alitin {ft} 
{ 

o <-2 

while (q*£ Jn ) 

I 

while Omoda 
I 

output a 

n ^ n / a 



ft n is trie mi m bur 



factored 




O 



// Factors are output one by one 



O 



j 



) 

if(n > I) output n 



ff n has no mor e factors 



Complexity The trial-division method, is normally good if n < 2 50 , but it is very inef- 
ficient and infeasiblc for factoring large integers. The complexity of the algorithm (see 
Appendix J_) is exponential. 



SEC1 WN 9, 3 f A CTORfZA TIQN 7m 



Sample 9.29 

Uic trial division algorithm to find die factors of 1233. 




tinn 



1233 = 3 x 0 7 



Ci a program based on the algorithm and gei [he following result 

Use (he trial (^&ion algorithm to find the factors of 13X3 357 784. 
Solution \yK 

We nan a progranvMsed on the algorithm and gel the fo] In wing result 

Fermat Method 

The Fermat factorfzatiorf^od (Algorithm 9,4) divides a number n into two posi- 
tive integers a and h (not nec^iarity a prime) so that n^axb. 

Algorithm 9 A Pseudocode fS^ermat factorization 



F€ramiit_Factori7Jitioji fn) 



! 



while (x<7i) 
I 

w 4 — Jt ? " — 



ft n is the number to be factored 
Q smallest integer greater than Jn 

o 



perfect squam) *wt-v; tetania aiidfr 

JC «— JT+ 1 V 
1 

■ 

ndfjtandy 



Hie Fermat ir^thod Is based on the fticc that if we oin fin 
then have 



such that n = x 2 - y 2 , 



• : ^th ; a = (x + y ) and b - 1* ^ 



The method tries to find two integers a and * close to each other (a - b) U starts from 
trie smallest integer greater than x = $ and Irks to find another integer y such that the 
relation y = ^ - „ holds.. The whole point is (hat, in each iteration, we need to see if 
the result of j* - n lP a perf ect square. If we find such a value for y T we calculate a and £ 
and break Irom the Iwp, If we do not, we do another iteration. 



\PfEK*> MATHI-M 



'5 OF CRYPTOGRAPHY 



4. 



Note that the method does not necessarily find a prime factorization' die algo- 
rithm must be recursively repeated lor each value a and h until the prime factors are 



found. 



Complexity The com 
Appendix L). 



njik^ty 




of the Fermal method is close to subexpqnential (see 



2 



Pollard p - 1 Method ^ 

In 1974, John M. Pollard developc^)a method that finds a prime factor p of a number 
based on Lhe condition that p-1 h^rto^factor larger than a predefined value B* called 
die bound. Pol lard showed that in th^pa^e 

Algorithm 9,5 Jthows ihe pseudocode for - 1 ftjetori/.ation method. Note 

that when we come out of die loop, 2 m is stored io *i. 

Algorithm 9 .5 p^udocade for Pollard p-1 fitctarizteian 



VoUstd_ {p - I ) _Fat lorizalion (k, B » 

I 

e <— 2 

while fe < B) 
I 

£2 <~ £1* TTI[X3 It 

e & tf + 1 

) 

if I < c jt TvEum p 
return failure 

\ 



r\ is ihi- rv.n;:n^- |o factored 



\5 



O 



o 



o 



Complexity Note that this method needs to do B-l exponentiation operatiot^a ~ 
a f mod n). As we will see later in this chapter. there is a fast exponentiation algorithm 
thai does Lhis in Ifog^B operations. The method i\\so uses the gcd calculation, which 
needs log n operations. We can iay Lbatlhe complexity is somehow greater than 0(B) or 
0(2 }: exponential p whom n b is the number of bits in B, Another problem is that the algo- 
rithm may fail . The probability of success is very small unless B is very close to Jti . 



Example 9.31 

Ust the Pollard p - I method to Jlnd a faaor of 57247 L 59 with die bound B = 



SECTION 93 FA CTGRIZATION 27 J 



■Solution 

•VVe nin a program tewed on the algorithm atari find that j? = 421 . As 5 matter of fact 57247 ] 59 = 
35979 ■ ^°< c rhat 4 ^ I is a prim- .ircI - I has no factor greater than 8 (421 — J =2 2 x3x 

Poilaf<j>lio Method 

In 1975 JiQwiyi Pol laid developed a second method for Factorization, fife PolJard rho 
ta cto r lEati t(iV>M tt hod is based on the f o] lowing poi nts : 

a Assume ^ there arc two Integers, jt, and x 2> such that p divides x, - ^ but « 
does not, y>* 

h- It can he pro^ji that p = gcd (x, - x 2 , /»). Because r divides jt, - x 2 . it can be 
written as JC[ ^ x p _ But because n does not divide jr,- x t , it is obvious 

thai q docs notVij^c «. This means thai gcd (*i - x 2 , rt) is either 1 or a factor 

v 

The following algorh^r repeated Ey select x x and x 2 until it finds 



pair 



Is an appropriate 



1 . Choose x i L a s mal [ ran d tegcr called chu seed, 

2. Use a function to calcul alCx^uch that n does not divide z l - x lr A function dial 
may be used here is ^ =/ xf + a (a is normally chosen as I }. 

3. Calculate gcd (x i - x^ «>. JLf i« isnoi 3 , die result Is a factor of n; stop. If it is l r 
return to step I and repeat the prt@ss with Now we are calculating j 3 Note that 
in I he next round, we start with x^^ so on, If we list the values of x : s using Lhe 



Pollsird rho algorithm, we see Lhal 
sl^pe similar to tJ.e Greek letter rho 



values are eventually repeated, creating a 
s shown in Figure 93. 



Figure 9*3 Polturd r!w successive numbers 





To decrease the number of iterations, the algorithm has been slightly modified. 
The algorithm starts with the pair (xq. x 0 ) and heratively computes (jq, j; z ) h ^ * 4 ), 
(.t 3 , a^Tj ■ -> - , (Jj-t using = f(r-) r In each iteration we um [he function (from step 2) 



i AFTER $ MA WEMJmKS OF CR YPTOGRA PHY 

once to calcinate- itte first clement in the pair and twice to calculate the second element 
in the pair (see Algdqjthra 9,6) T 

Algoritlira 9;o" Pseudofowpr MlartI rho method 
Pollard, rho .Factorization. 8} 



n k the number to be futu^il 



y <- 2 
p 1 

while- (/? = ]} 

: 

x <— f{x) mod /t 
y <— f{f(y) mud n) mod n. 

p f- ged (.r - _v, *0 

I 

rfstump 



p ■= m, the program has failed 

$ 

Complexity The method requires -Jp arithmetic apmtiuns. However, because we 
expect jj to be smaller or equal to Jn , we expect to di^n)^ arithmetic operations. This 
means that the bit-operation complexity is 0(2^ ), exp^peWial. 

O 

Example 932 £^ 

Assume ilia I there -.s a computer lhai can perform - ^ (LiLmusE 1 hi. inn; k: i^crjiiL-rb ?c r s™u:! 
What is the approximation time required to factor an integer of si2e 



a . 60 decimal digit. 1 : ? 

b. 100 decimal digits? 



Solution 



v. A number of 60 decimal digits has almost 200 bit*. The complexity is tneo-2 or 2" J 
Witii 2^ operations per second, the algorithm can be computed in 2^ecWias, or almost 
12 days. 

b. A number of 100 decimal digits has almost 300 bils. The complexity is 2 30 
operations per second, I tic algnrithm can he computed in 2 15 seconds, many ^etius. 



Example 9.33 

We have written a program lu calculate the factors of 434617, The result is 709 (434617 ■= 709 X 613)- 
Tahle 9:2 .shows the values of pairs 6c and _y) and p in this run. 

More Efficient Methods 

Several factorization mcLhods have been devised during the last few decades. Two of 
these methods art briefly discussed here. 



SECTION 93 FACimiZATlON 173 



Table 9,2 Values ofx, y, arid p m Example- 9.33 




2 
26 
21713 
142292 
157099 
52128 
41H31 

427553 
2634 
63593 

161353 
o489ti 
21979 
16309 



1 
I 
I 
! 
I 
l 
I 
I 
I 

L 

: 
1 

709 



Number Field Sieve 



Quadratic Sieve 

Pomerance devised a f^arizatiCr^niethod colled the quadratic sieve method. The method 
uses a sieving procedure to find tl^aiuc ol" jt 2 mod n, Trie method was used to factor inte- 
gers with marc than 100 digits, Its complexity is 0(e c ) T where C = (In i ln *n n) m . Note that 
this is subexponOEitial complexity, %q 

Hefldric Lenstra and Argin Leustra devife^a faclorizaliDn method called the number 
field sieve method, The method uses a siteWnk procedure in sin algebraic ring structure 
to find jt 3 = v 2 mod n. ft has been shown lhat\H%m_eihQd is Faster for factoring numbers 
wilIl mure than I 21.) digits. Its complexity 
Note that this is a bo subesponential complexitv.Q 

Example 9,34 

Assume that there is ts compuieT ihni can perform 2^' J (aimcsi/TVilliDsi) bit operations per second. 
What is tin 1 : LL[i]:n;)Aiina.tc time required for this computer to tactpMn integer of LOO decimal digits 
using one of the following methods? 

a. Quadratic sieve method <0 

b. Number field sieve method 

Solution 

A number with 100 decimal digiu fcw almost 300 bits (n t= 2™}, ln(2™> = 207 and hi Lei (2 m ) = 5. 



c j where C =^0n n) [r3f (lnln n) 21 *. 



a, For the quadratic sieve method we have [207) UI x (5) u " = 14 x 2,23 *-- 32. This means 
we need e 32 bit operaliori tliat can be done in (e 32 ) / (2 3l> ) = 20 hours. 

b. For the number field sieve method we have (207} ii ' 3 x =.6><3 = 18. This means we 
need e 1 ^ hit operation that Can be done in (e ia ) J (2 30 ) = 6 seconds. 

However,, ihesc results are valid only if we have a computer that tan ptH'orm I billion bir opera- 
tions per second. 




CHAFfEtt 9 MA THISMA TICS OF CRYPTOGRAPHY 

% 

Qiher Challenges 

Chapter 10 will di^iss the application of factorization in breaking public-key crypto- 
systems. If more effect factorisation methods, ate devi&cd, public-key cryptosys,iems 
tieed to use larger inflkorsi to resist cryptanalysis* The inventory of RSA have created 
contests for factorizati^M of numbers tip to 2048 bits (more than 600 digits). 

£K 

9.4 CHINESE rS|JmA INDER THEOREM 

The Chinese remainder iheo^eAf (CRT) is used to solve a seJ of congruent equa- 
tions with one variable but diffcptol moduli, which are relatively prime, as shown 
below: >r 

^^^^ " ■ ; p " : • 



Fhe Chinese remainder theorem states tha above equations Etavc a unique solu- 
tion if die moduli are: relatively prime. \v 

Example 9. 35 

The following is an example ui' a scl of equations with diffcr^tf^oduli: 

o v.,.,...... 

■ 

■ 

■ 





\ s 3 (mod 5} 

* 5*3 (pod?) , 

The solution this sex of eonaiions is given in the next section; fr^Tjhe moment, mite ihsi. 
the answer so this sei equations is Jt = 23. This vaiue satisfies all equatiriSi: 2? = 2 (mod 3) F 
23 = 3 (mod 5), and 23 = 2 (mod 7). ^ 

Solution s~\ 

The solution to the set of equations follows these steps: 

1 . Find M = m \ X j$g X --- X tn^ This is the Lommnn modulus 
7. Find Af , = M/wi^M^ = Wm 2> .... M t = Afters 

3, hiil<P the multiplicative inverse of M ]H Atfi, .... using the corresponding moduli (m\ r 
f«->, /.'jjtJ. Call the inverses .W," 5 , M 2 Afy -1 , 

4. The so3u I sn i n I he simul i an cqu.s equations is 

| * = IK, x x 1 + a 5 * jjjjjjj^ Wj- 1 + - + a k x x Aij -1 ) mod $t 

Note that the set of -equations can have a solution even if the moduli arc not relatively prime 
but meet other conditions. However, in cryptography, we are only interested in solving equations 
with tuprime moduli. 



3EClfQN&4 CHMESE REMAINDER THEOREM 275 

Example 9.36 
* riaid the wiJutinn \o the snmiJuincous equations 

\P x«2-tti[)d3 
(^) . jt a 3 mod 5 

x =■ 2 mod 7 

From the n^bus example, we already know lhat the answer is x = 21. We follow the four steps. 

1. M^c5x7 = 105 

2. M,-^»f3=35« ^=105/5 = 21, M 3 = 105/7= =15 

3. The inv^n^ are Mf* = 1 Af 2 _l =* 1, M 3 " 4 = 1 

4. i^(lx 3?^ 4 .1 x 2 I X 1 + 2 x; 15 x 1) mod ] 05 = 23 mod 105 

Example 9.37 




find an integer fttf has aVej^mdcr of 3 when divided by 7 and 13, but h divisible by 1 2. 
Solution S 

This is a CRT problem. We cafrp^m three equations and solve rhem to find the value of x. 



x = 3 mod 7 
.x= 3. mod 33 
Y) J ^Omod 12 



*T A rt- — W lilTLPU I II 



Tf wc follow ihe ffltir steps, we find x b 2v^We c*m check that 276 = 3 mod 7. 276 = 3 mod 13 
and 276 h divisible by 12 [the quotient is ZUnd ehe remainder is ro) 

Applications VS^ 

The Chinese remainder theorem ha^ scverV^mli cations in cryptography. One is to 
solve quadratic congruence as discussed in the dissection. The other fe iu represent a 
very large integer in terms of ^ list of small bte£<rc£ 

Example 938 * 

Assume w« need to caleuliUc i=x + y wlienu 123 and y ^V34, but our system accepts only 
■ minimis icss thai i L00 Thu^- num-mits (.Lin be je^fescriied as fqfkkys: 




* 24 (mod 99) 7 = 37 (mod S©j 
J af 25 ( mod 95) y s 40 (mod 93 j 
* s 26 (mod £7) y = 43 {mud 97] 

Adding each congruence in x with the eumcspondinE congruence in y gives 

x + y & 61 {mod 99) -4 fm&l (mod 99) 

x + y h 65 (mod 98) -ii z = 65 (mod 

Jc + y-69(mod97)' 4 £^69 " mod 97) 



WER 9 MA FHEMA^CS OF CRYPTOGRAPH t 

Now thrM equations can be soIycJ usin£ Lht Chinese remainder theorem to find Z- One of 
Lhe ua:e[uabLc liji^ wets ?s t = 457. 

% 

9.5 QlJADRATfp^ONGRlJENCE 

Linear congruence was discuss^in Chapter 2 and Ihc Chinese remainder theorem was 
discussed in the previous section^ki cryptography, we also need to discuss quadratic 
congruence — thai is 5 equations otSn^form a^x 1 + + a S} = 0 (mod /i). We limit our dis 
cuss ton to quadratic equations in whi,s?n a>j — I audit] — 0 h that is equations ul the form 

V* j 3, ^ a (mod tt). 

Quadratic Congruence Muiiulu a ^ime 

We first consider the case in which the mudutuMs a prime. In other words, we want to 
find the solutions for an equation of the form -r^a (mod p\ in which p is a prime, a is 
an integer such that p \ a, Tt can be proved thai mistype of equation has either no solu- 
tion or exactly two incongment solutions-, 

Example 939 0 

The equation a 2 = 3 {mml 1 1 ) has two solunons-, x e 5. (mod 4 1) and (nrnd L S ). But note 

that -5 e 6 (mod 1 1 ). so the soUiuons are actually 5 and 6. AJsofilofe that these two sedations are 
ineongruent. ^} 

Example 9.4$ 

Tilt «| nation jc^ « 2 (mod 1 1 ) has no solution. No antcgur x can be fttfmUuch that its square is 
2 mod IK 

rO 



Quttiiratic Residues and Nonresidue Q 

In Que equation jc 2 e a (mod j?) h « is called a quadratic residue (QIC) if Uje^quation has 
two solutions; a is adled quadratic non residue (QNR) if iJie equation J*as no solu- 
tions. It can be proved that in X*, with p - 1 elements, exactly (p - \ clfeHaents are 
quadratic residues and {p- l)/2 are quadratic uonresidues- 

Example 9,41 V 

Trier* are 10 elements in Z s i *. Esacd) 1 five of them are quadratic residues and five of ihcm Hit 
nonrcsiducs. In other words, Z M * is divided into two separate sets, QR and QNR, as shown in 
Figure 9.4. 

Eu ler \ Criterion 

How can we check to s t?c if an integer is a QR modulo p? Euler's criterion gives a very 
specific condition: 

a. If = 1 (mod pX a is a quadratic residue modulo p„ 

b. K a (P~^y^ ■ - J ^rarxt p) h cj is a quadras ie nonresidue modulo p. 



4>z 



SECrfGN$.5 QUADRATIC CONGRUENCE 277 



Figure 9.4 Division <?/Z, , * efemerxi.t into QRs and QNfa 



3 


* 




















t 










! QR set = 3, 4 P 5, 9] 




QNHm1= (2, 6, 7, K, 10} 





Example 9.4^ 

lb Und out if ] 4^sMf> is a QR in Z^*, wc calculate: 



Ea^s element rhli a E^uure nmi 



N r O dCmcnL has a square root 




SB 



14 12 - L ^ mod^fc* H 1] mod 23' 22 mod 23 [ ^ £Viaod'23 

^•1 mod 23- 



Solving Quadratic Equa^&n Modulo a Prime 

Although the Eder criterioti^lls us if an integer a is a QR or QNR in Z^* it cannot 
iind the solution icj je 2 = a (md^l jr). To find the solution to this quadratic equation, we 
notice that a prime can be citKew? = 4£ + 1 or p^4k + 3, to which Jc is a positive ante- 
ger, 'Die solution lo a quad rat Lcvquation is very involved in the first case; it is easier in 
the second. We will discuss only the> second case, which we will use in Chapter 10 
wheal wc discuss Rabin c^ptosyste^Sy 

Special Case: p m 4k + 3 If p is in t^foitti 4 k + 3 (that is s p = 3 mod 4) and a is a 

O 

1 ■*■ t \\ ■ 

o 



QR in Z^* ( then 



Example 9.43 

Solve Use following quadratic equations; 

a, x 2 = 3 (mod 23) 

b. = 2 (mod It) 



c. -i- 1 = 7 (mod 19) 



O 
O 



Solutions 

a. Tn the lirsi equation, 3 is a QR Iti The solution is j 6 {mod 23). In other wordy-, 
V3 = ± 16 {mod 23), ' ^ 

b. In the second equation. 2 is a QNR in Z L ; . 'Jheie l>; ]io solution for V2 in 2^. 

c. Jn she third equation. 7 is a QR in Z L9 The solution is x = ± H {mod 19). in other 
wonls, V?^= L ± 11 (mod 19). 

Quadratic Congruence Modulo a Composite 

Quadratic congruence modulo a composite can be done by solving a set of congruence 
modulo a prime. In other words, wc can decompose jc 3 = a (mod n) if we have the 
factorization of n_ Now we can solve each decomposed equation (if solvable) and find Jt 
pairs of answers for jt as shown in Figure 9.5. 



CHAPTER 9 MATU^M. 




77 CS OF CP YPTOGRA PHr 



4. 



Fifnirv 9.5 Decomposition of congruence modulo a composite 

& 



t"= <j[ (mud 



x ? = ^ (mod p A j 



v m w 





From k pairs of answers^we can make 2* set of cquationft thai can be soived using 
the Chinese remainder thcarej*no find 2^ values for x, In cryptography, normally n is 
made such that = p x g„ whicbV^ns = 2 and we have, only Four toial answere. 

V 

hxample 9.44 

As&ume thai = 36 (mod 77). Wc know [i^fK77 = 7x31. Weesn write 



m b 3ti (mod 7 J ^ 1 (mod 7) 




'.^=3i5tijiMUr=^{iiwdllj 



SOAR rrh. 



Note 4b?iL we h&vc chosen 3 and 7 to be of th^>mi 4k +- 3 so that we can solve the equations 
based oq ihc previous discussion. Both of lha& e^wjafcons have quadratic tasWuos in their own 
seis. The answers are jr = +1 (mod 7), x 1 (mod v)^ s + 5 (mod I l),,and io- 5 (mc*d 1 I ) 
Now we tun muke Jour sets ol: i±q nations out of these 



Set l; , i = 4l lmod7i A = + 5^niqd U) 

&Ht£f = 4L-(iuod 7) Jt = T "■" 

Sci 3t jti^ -lj(iriod 7) „c*= -k5 'tnio&lirjr 

'Sel4:.j=-f(niod7) xm- 5 {mod 11) ■ ' 



'[ ne answers are x — ± 6 and ± 27. 





£xity 



How hard is it io solve a quadratic congtnejs.ee raodulo a cooipo^^LThe main task is 
the facCDriv.iTtion of the modulus. In other words, the complexity ol^olvirjg a quadratic 
congruence rmidulu a composite is the same as factorizing a eOEiipojyte integer. As we 
have seen, if n is very large* factor Izaticm is infeasible. 

1 — : e- — 1 

Solving i3 quadratic cnn^i utuce modulo a composite is as hard as Factorization 

oft lie inoditlnTj, 



9.6 EXPONENTIATION AND LOGARITHM 

L'x potentiation and logaritiim are inverses of each other. Tbe- following shows the rela- 
tion ship between Lhcm, in which a is called tbe base of tbe exponentiation or logarithm. 



Exponeiii ti a tin u \ y = & t -4 S.J>g3 rithnni x - ]og a y 



^Exponentiation 



SECTION 9M EXPONEATIA TIQN A ND IjOGARITHM 27M 



•in cryptography, a common modular operation is exponentiation. That is d we- often 
rtirato calculate 

The cryplosystem, which will be discussed in Chapter 10. uses exponential] or 
Tor hoth en<(^3UOTi and decryption with very large exponents. UMortuna|ely r most com- 
puter langiiagejfjiaye no operator that can efficiently compute exponentiation, particularly 
when the expoTrc^<tg very Earge. To make thi* type of calculation more efficient, we need 
algorithms thai aYe^ore efficient, 

Fast Exp&netttlatiah^' 

Fast exponentiation iarpo^ible using the &quare-aiid-iriulUpLy method. In traditional 
algorithms only muhlpufahon is used to simulate exponentiation, but the fast exponen- 
tiation algorithm uses bdtb squaring and multiplication. The main Idea behind this 
method is to treat the exporj*p* as a binary number of n b bits (xq to x n _] ). For exam- 
ple. _t; - 22 = ( I [) t LOJ2- In eeFifffS, x can be written as: 



Now we can write >■ = a* as slfq^in Figure 9-6, 



Figure 9X? The idea behind thr xguaw-anft^y vtiipty method 



— Vt ) — 



v - a 



ffl- 



or 



■ 



-0 

n? | M Jl 



T_Tl wtbLL-Ll JTj 

is 0 of 1 



Of 



Example: 



Note Uial y is ihc prochicr of n h terms. Eaeh term is either ] (if the corresponding 
bit is 0) or a* (ii the corresponding bit is 1)., In other words, the tertita* 1 is included in 
the muhi plication if the bit is 1, it is not included if Uie bit is-0 (multiplication by 1 has 
no effect). Figure 9.6 gives the general idea how to write the algorithm. We can contin- 
uously square the base, a, a 1 , * 4 a 2 " h ~\ If the corrcspOTiJSqg bit is 0 h the term is 

not included in the multiplication process; if the bit Is 1. it is. Algorithm 9,7 reflects 
these two observations. 




'HA t*TER 9 m THEM&ICS Of CR YPTOGRAFHY 



iMim 



seudacadefor .•iquure-anrf-muitipty nigarifhm 



if(x>- I) y Wi ^ modn 
u mod n > 

> V 

return v 



// Jt h is the number of bits in * 

// multiply only if ihc bit is I 

// squaring is not needed in the lasL iteration 



Algorithm 9.7 0$ n b iterations. S5Wh iteration, k checks the value of the corre- 
sponding bit. If the value of the bk is l p SpriuUiplies the current base with the previous 
value of the result. It then squats the bas^or the next iteration. Note that squaiiiig is 
not needed in. the last step {the result is not uk£&) 

9.7 shows the process for calculating? = uu junta Algorithm 9.7 [for simplicity Ibc 
modulus is not shewn). Id this era, jt = 23 ^ (101 1 0)^ in Wary. Th* exponent has five Ihu, 



Exampk9AS 



Figure *JJ PcftiflwfmriQft ^^ew&ii>?n of u 22 using squd^a^-nudtipfy method 



-^6 




Jjiitiadon. 



bit 



Squaring is dune in each Siep except the last Multiplied is done only if uje com^-ponding 
I .. Reure y.7 shows huw the value* of v srw M/ttmllu s™;i> .n^i — 1i j i 



Figure y ,7 shows row the values of y are greatly b$lt until y = a^. The solrfNwxes mean 
that mujlipTitation is ignored and the previous value of y is earned to the next step. JMh ^ shows 
how the va I uc for y = 17 22 mod 2 1 is calculated. The result is y = 4. O 

Tabl to y 3 Cakulaiion of 1 1 11 mod 2 / 



1 


i 


Multiplicmh* 
(inhiaih&iti&n: y I) 


Squaring ■ 


: o 


0 




— ? 


a = 17* mod 21 = 16 


i 


1 


y= L x 16 mod 2] - 16 _> 

— mm 


l?= I6 i rnod21=4 




1 


.y= 16 5^4 mod 21 = ] 


a^4 2 mod2L = 16 


3 


0 




fl = Itf 2 moo 1 21 =4 


4 


1 


y= 1 x4mod 21= 4 




.: 1 



SECTION &$ EXPONENTIATION AND LOGARITHM 2&1 

% , 

Lompfearity Algorithm 9.7 uses a maximum of 2n b arithmetic operations in which n b 
h the length of the modulus in bits (n b =■ log^n), so the bit-operation complexity of the 
aJBenUani is OOiQ or polynomial. 

-zL 

V^rjj it-operation complexity of tin-, fast exponential algorithm Is polyneidlaL 



Alturnati^^tgorithm Note that Algorithm 9.7 checks the value of bits in x from 
the right to E^^eft (least sigElif leant to most significant), An algorithm can be written to 
use the revers^kder. We have chosen the above algorithm because the squaring opera- 
tion is totally i^ejtandent from the multiplication operation; they can be done in paral- 
lel to increase tha^n^ed of processing. The alternative algorithm is left as an exercise. 

Logarithm 

In cryptography, wc aJsqnfcfed to discuss modular logarithm. If we use exponentiation 
to encrypt or decrypt, the^ad^rsary can use logarithm tq attack. We need to know how 
hard it is to reverse the exponentiation. 

Exhaustive Search ^ 

The first .solution that might com^> mind is to solve jr = log c y (mod ri). We can write 
an algorithm that continuously caleulate^ y = a? mod n until it rinds the value of given y. 
Algorithm 9 8 shows ihis approach. ^\ 

Algorithm 9$ lixhamaive xmrr h for m)f^^Ioganihm 



Mm hilar JLos^rithni {3 r y r n) 
[ 



far(jc = 1 tort-1) ^ > //JUslhs number of hits in i 

[ vO " 

if (y = a* mod ri) return x 



i 

return failure 

i 



; & " 

Algorithm 9.8 is definitely very inefficient. The bitHDpe@!qn complexity is 0(2 nb ) or 
exponential. 

Discrete logarithm 

The second approach is to use the concept of discrete Logarithm. Understanding this 
concept requires understanding some properties of multiplicative groups. 

Finite Multiplicative Group In cryptography, we often use the multiplicative finite 
group: G =<Z J! *. >c> in H-hicti die operation is multiplication. "J "he set Z rj * contains those 
integers from 1 to «-l thai are relatively prime to/?: the identity element is e = 1 . Note that 
when the modulus of the group is a prime, we have G = <Z p *, >o, This group is the spe- 
cial case of the first group, so we concentrate on die first group in this section. 



9 MA THEM&BCS OF CRYPTOGRAPH Y 

Order of the Grojip In Chapter 4^ we discussed the order of a finite group, IGI, to be 
the number of dernejnteyn the group G. I11G - x>. it can be proved that the order of 
gmup is We havV^wn how to calculate ftn), when a can be factored into primes. 

Example 9.46 ^ > 

What is Lhe order of group Gv^Z 2] + r x>7 IGI = 4K^I) = <K3) x 4>P) = 2x6 =12. There are 
t3 erem^nrs in this group.: 1, 2,(5) .5,_3, 10, 11, 13, 16, 17 F [9 P and 20. All are relatively prime 
wiih21, ^ 

Order of i-m iLkmunt hi Ch; 5 |\jj-j k lilsmiiscus^il [he urcit-r ul" cl^ntt-in . ;«ri.| (.■,■). 
In G = <X fl * n :: <> T we continue wi^fie same definition,. The order of an dement, a, is 
the smallest integer i such that a f = g ^prted n% 'Fhe identity element t? is 1 in thi^ case 

Solution x ^ 

This group has only $£10) = 4 elements: 1 , 3, 7< 9SjS*can find die g^fec of each element by trial 
and error, However, recall from .Chapter 4 that the Ofd|rj&f 4in clement divides, the order of the 
group (Lagrange theorem), TT>e only integers that dm(je* lire l s 2 b and 4 r which means in each 
cft.se We need to check only these powers to find the oroe/Sljlhe demerit, 

a. 1 1 = 1 mod CTd(l) = 1. 

b. 3 ] = 3 mod (U)); 3 2 = 9 mod (10); 3^ = I mod (lO)*-^*^^^ 
as 7 1 = 7 mod (10)- 7 7 = 9 mod (10); * I mod (10) -Widfp) = 4. 



tizampte 9.47 
Find the order of all elements in G = <^jo*, 



d, 9 1 = 9 mod ( I Oh 9* = 1 mod (10) -> tatfp) == 2. 



rem (discussed in this 



Ruler's Theorem Another related thenr™ is the EuJer 1 
chapter) that says if a is the member of C = <Z n * p x> h then rV^^ 1 mod n 

This theorem is very helpful because it shows that the rtla^nfihip d = 1 (mod a) 
hold* when j = (K^). even if it holds when f < In other vvord<ttWs relation Itolds & 
least once. 



o 



Example 9.4S 

Table 9.4 shows the result of a 1 ,= Jtrfmad fl) l or the group G ~ </tf* n ^ Note/fftM 



Flie dements are 1, 3 F 5, «ml7. 

Tfcble 9 J 



Filling fhe tmU'ris t\f t'lt'.meMs m txtimpte 





j = 1 


1 = 1 


i^3 


i = 


■ 4 


i = 5 


1 = 6 


r = 7 


fl = 1 

1 


1 


x: 1 


1 


. ,v ■ 


1 


Kc: 1 


x; 1 


jc: I 


a = 3 


xi 3 


x: 1 




- J . _ 




Jt: 3 


(S 1 


j;: 3 


d = 5 


x:5 
1 ~~ — 


x] t: 








j x. 5 


t: I 


x: 5 


a =,7 


x: 7 


j:: 1 


7 






j .XT 7 


jt: [ 


.r: 7 



l^ible 9.4 reveals some point*. First, the sliuded sre.1 shows the nsjult of applying Eulefs 
tlieorenl; When i = = 4, the result is j: = I for every a. Second, the iablc shows, tnat the value 



SECTION y, 6 EXPONENTIATION AND LOGARITHM 283 



x can be I for many values of L 'Hie first iLmc when jr is I , the value or i gives us the order of 
4« element (double-sided boxes). The orders of etesnents fire ord£] ) = 1, ord[3) = 2, or<l(5j = 2, 

Roots A very mtercstiog concept in multiplicative group is thai of primi- 
tive rim0 which is used in the EIGamal cryptosystem in Chaptfcf 10. In the group 
G -<Z n V^>, when the order of an element is the same, as «|>(rt) H thai element is called 
the prirnin^^Qiol of the group. 

Example 9,4^ r *; 

Table 9,4 shows > ttefl 



r arc no primitive roofs in C = because no dement has [he 

Order equal to ty($bf4. J'h.e ortle* of elements, ait a] I smaller than 4, 

Example 9,50 \fi 

Table 0,5 shows she result (mod 7) for the group G - x>. In thk group, ^7) 6. 

Tabled Example 9.50 " ^ 



Primitive root 



Pnumive root — > 



j = 4 



f = 5 



j i = 6 



n = J 



as 



X 1 



^ -3 



a =6 



.A 



±53 



5 



a: 4 



1 



a: I 



.t: 2 



x: 6 



x: 2 



XT. 2 



jc:4 



x:4 



x; 2 



jc 1 



j:: I 



r™ 

_. ■■. 




11. I 



JtL 4 



;e: 5 



i 



x--2 



x: 3 




The orders of element % oj0) = 1 r ord(2) = 3, ord^= .wrf(4) = 3 H ord(5j = 6, und ord(6) = 1. 
Table 9.5 show* thai only two elements, 3 and 5. ha™4be order at t = $£n) - 6- Therefore, this 
group has only two primitive roois; 3 and 5. ^-^ 

Il has been proved that the group G ^ <Z f {*\ X> lidQ nrimilivc root only if n - 2. 4, p\ or 
2^? r , Ln which p is an odd prime (not 2) and f is an integer. (\ 



l he group <} = <Z n \ x> has primitive roots only(iPft is 2, 4, p* m or V 



Exumplr 9.5! 

Hor which value of n, does Ihe group G m <Z fl *, x> have primitive roots: 17, 20, 3$ and SO? 
Solution 

a. G = <Z 17 * r has primitive roots, because 17 is a prime (p ( w1k;r: / is 1 J. 

b, G = <Z 2 f^ 1 x> has no primitive roots. 

c G = <jE3 S », x> has primitive roots, bct^sc 3S - 2x19 and 1 9 is a prime 
A C = 3iaA primitive roots, because 50 = 2 X 5 3 and 5 ft a prime. 

If £i group has a primitive root, tbon it normally has peveraS of diem. The number of 
primitive roots can he cnlculated as 0[0(h))- For example, the number of primitive roots 



i, 

CHAPTER 9 MATHEMATICS OF CRYPTQGkA PHY 

of G = <Z i7 *, y> is 17)) = 0( J 6} = 8v Note that we should first check to see if the 
group has, any prinaiH^e root, before wc find die number of roots. 

t6 : 

If the group C - <X ff *Tx> has any primitive root die ntimhcr oi primitive roots is 

V 



~ >5 

Three questions ariscY^-. 

1 . Given an element a an&H^group Q - <Z n *. x>, how can we find -out whether a js 
<i primitive root ui (t?H^1ah not an easy task. 

a. We need to find <Krc), w^ieh is as difficult as Factorization of n. 

k We need to cheek whetheVord{a) = §(n). 

2. Given a group G - <Z n * T x> n can we check all primitive tools of G? This is 
more difficult than the first task I^We wc need to repeat part h for ail elements of 
die group; 

3. Given a £roup G = <Z n *. x>, how c^jAve select a primitive root of G? In cryptog- 
raphy, we need to find at least one priaiSJive root in the group, However, in, this 
case, the value of n is chosen by She use* aad the user knows the value of The 
user tries several elements until he or she smds the first one. 

O 

Cyclic Group Cyclic groups were discussed i^Ihaptcr 4. Note that if the group 
G - <^ n + , >& has primitive roots, it is cyclic. Each primitive root is a generator anrl 
can be used Lo create thE whole set, In odaet words, &\&& a primitive root in the group, 
we can generate the sen Z rt * as \J . 

o 

Example 9.52 , 

The group G = <Zjn*. has two primitive roots because; <(i(.lO) = 4n^L 4K4^iO)} - 2- It can he 
found that the primitive roots are 3 and 7, The following shows 1 feti we/&p create ihx whole tec 



using each primitive root. 
<7 £ L moti'I0^7 



O 



■«.— , i _ r- 



■ . mod fifl - 7 ■ §£* tO =■ 1 . ■■ 
^ mod 10- 9 ■ ^mod!u^3. s>rtJ £0^1.- . ■ 

o 

o 



Note that the group ft = <^ r * n x> is always cyclic because p is a prime, 
I 



The grc^xp G = <2^* t >e> ES^ar^cyclic group i£ljgjftfi priptJtjvbiobtSi. 
The grdbp G i i22* ">o*is ilwa^.^ffihd : 







ttitl 







2 V*L 





i 

The idea ofDbcrete Logarithm The group G = <Z p * , x> has several interesting 
properties: 

1 . Its elements include aU integers from i to p - 1 . 

2. It always has primitive roots, 

3. It is cyclic. The elements can be craatdd using where z is an integer from 1 to 
<\>{n) = p - 1. 



SECTION 9. 6 EXPONENTS TtON AND LOGARITHM 285 



% 4. The primitive roots am be thought as the base of logarithm, [f the group has it 
^primitive roQE$ n calculations can be done in k different bases, Given x = log^y for 
^j&y ^ttunt y in the fefc there is another element * thai is the log of >■ in base g> 
Jfais type of logarithm is called discrete logarithm. A discrete logarithm is desig- 
K^^by several different symbols in the literature, hut we will use the notation U 
sfipw that the base is g (the modulus is understood). 



udular Logarithm Using Discrete Ijjrs 



Solution 

Now let us MM>w to solve problems of type (mod «) when y is giver and we 
need to lind jc. 

Tabulation of DS^jstjle I^garichms One way to solve the above-mentioned prob- 
lem is to use a tabie^or each and different bases. This type of table can be pe- 
culated and savedABAr example. Table 9.6 shows the tabulation of the discrete 
logarithm for Z-,*. Wc^itow lhat we have two primitive roots or bases in the set. 

Table 9.6 fctagte 



logarithm forG = <7 n *, x> 



y 




2 \ 




4 


5 










1 


4 




- 

■3 




( 




s 


2 


1 


3 



Given the tabulation for other flii^fcte logarithms for every group and all possible 
bases, we can solve any discrete loga^ui problem. This is similar to the past with tra- 
ditional logarithms. Before the era of ^rrcolators and computers, tables were- used to 
calculate logarithms in base 10, Q 



o 



Example 9.53 

Find x in each of the following cases: 
a_ 4 = (mod 7). 

Solution 

We am easily use die tabulation of the discrete logarithm in laMc 9.6. 

a. 4s3 a itick17 ^ j=sL 3 4mod7=4mod7 O 

b. 6 = 5 X mod 7 -> x*t L 5 6 mod 7^3 mod 7 O 

Using Properties of Discrete logarithm* To sec that diS^ete logarithms behave 
just like traditional logarithms, several properties of both types of logarithms are given 
it) Table 9.7. Nmc that die modulus is pin) instead of /z. 

Ta Ij Je 9 + 7 Compo rison of imilhhnal ami discrete h&arithms 



'IVaditiGntiJ Logarithm 








iog^ x y) ^ log a x + log d y 


x X y) = (L^ + Ljgtf (mod fln)J 


\^ t x k =kX\og n x 


L^* = k X LgX (mod 4H>i)) 



:HAFrER*J MATH 





ICS OF CRYPTOGRAPHY 



4. 



Using Algorithms Based on Discrete Logarithms Tabulation and the property of dis- 
crete logarithms cannot be used to solve jiea* (mod n) when n is very large. Several algo- 
rithms have beets deVsta^tbar use The basic idea of discrete logarithms to solve the problem. 
Although all of these ^Igoriihnns are more efficient than the exhaustive-search algorithm 
LhnL we mentioned at iln;<^innm« oi' this section, none of them have polynomial complexity. 
Most these algorithms Isaw me same level of complexity as the factorization problem, 



probk 



The diiareU- If^arillim probit y has the same cflmplvKity -h the factorizatiou pmbkm. 

9.7 RECOMMENlti^i READING 

Fbr more details about subjects discnssellSf jhis chapter, we recommend the following books 
and websites, The items enclosed in brack^tsWer to the reference list at the end of the book 

Books 

We recommend [fto£G6L ICouSW], and LBW^Land [BlafBJ I or topics discussed In 
this chapter. 

CO 

WebSites # 

The. following websites give more information about t^^sa discussed in this chapter. 




httpj/Zen, wiUped j a. wBti/Primc, number 
hFTp://prifl^s,utmxdLt/iiKn5enne/ 

hLtpi/^enHWikir^dla.os^wild/l^miaLity.tesi ■ -^JN 

www.cl .-eaiiLac.ub'-rj^ I (M)4/f!^^c]i/talks/nuHef: "lalfci p. 1 1 
hlt^rftmatb worJd.wolfram.cn '^tF^^ 
foup;//eniW]Mr^a.Qi^w -AifSr^/fc 
1'avT]lEy.t;& 1 tamu L edutf:la}jp^629/a rialyi^.pdf 




9.S KEY TERMS 

Chinese remainder theorem (CRT) 
composite 

coprime (relatively prim e l 
deterministic algorithm 
ilk.:-n-li.: I : • ;-. ! m v: 1 1 1 1 r 
divisibility Lest 
Euler's' phi-function 
Kutefs Theorem 



O 



exponentiation 
factorization 

Format factorization method 
Fermal primal ity test 
Fermal numbers 
Fermat primes 
Fermat s little dieoiem 
Merseunc numbers, 



SECTION 9.9 SUMMARY 1$7 



Mersenne prime* 
Miller- Rabin prim alky te>t 
^jWnber Held sieve method 
^^plard/j--! factorization method 
E^rd rho factorization method 
privity test 
prim^ - 
prinnu\^)oot 
probabs £ isrrt£) algorit b sti 
pscudoprime>* 

_^ 

9.9 



qfiwdraiic congruence 
quadratic equation 
ijuruirain; imnrosidac 
quadratic residue (QR) 
quadratic sieve method 
sieve oT Eratosthenes 
sjquare-and-mtiltiply method 
square root primal ity lest method 
srroiig pseudoprimc 
trial division iactorizauon method 




J 



The positive ituaqh* can be divided into timet groups: the number I, primes, and com- 
posites A positive ^feger is a prime if and only if it is exactly divisible by two differ- 
ent integers, 1 and Us^f A composite is a positive integer with at least two divisors: 
Ruler's ph^functioI] 1 which is sometimes called Ruler's toticnt function, plays a 
very important role ill Angiography. The function fi nds the number of integers that 
are both smaller than n ahlvrelativcly prime to jl 

J Table 9.8 shows Format's little thporem and Hulcfs theorem, as discussed in this chapter. 

Tab I e Femspt T slt!fi^theomm awt Eufer'at. tkemzm 




Fim Ve^Sftjn: 



If gc d pQ)l* then a^'sl (mod pj 



Second Vers^jJ\ 

First Version! O 

If gcd (u, n) = S , diel(^ rz| - ] (mod t?\ 



Second Vers j cm: • 

N" n ± p x q and a<n i dCy^ar 0 * = n (mod 

Or : 

□ Lo create a large prime, we choose a (urge random iJjrpber and test it to b& sure that 
it is a prime, The algorithms that deai with this issue can be divided into two broad 
categories deteiiuiriisiic algorithms and probabilistic algorithms. Some probabilis- 
tic algorithms for primal ity lest am the Format test r the square root tat, and the 
Miller-Rabin test. Some deterministic algorithms are the divisibility test and AKS 
algorithm. 

□ According to the Fwtdamental Theorem of Arithmetic,, any positive integer greater 
than I can be factored into primes. Wc mentioned several factorization methods 
including the trial division, the Format, the Pollard p - 1. the Pollard rho, the qua- 
dratie sieve and the number held sieve. 




iArmR 9 MATHEMA&tx OF CRYFlVGRAPltY 



□ 



\ n ojsl van Jbl^fcjjwj, ffc^c raoduh ^ ^1^] y primc 



_ _ „ „ JUUIU1 u lcn a, v reianvej y prime. 

We discussed solmkAto quadratic congruence modulo a prime and quadrat con 
gruence modulo a However, if the S is K 

congruence is £ hard ^.oriaiion of the modulus ^ 

m^I P r 2 £ .? C ^^ ^P'y ^od. Cryptography also involves 
modular lugmthim. If export™ Ls used lo encrypt or decrypt the advert 
can us, to attack. l£^d to know how hid it is to reverb t. SL 

ular logarithm for a large modultiQas hard has as the factoriUon problem 



. 

9 AO PRACTICE SET <A 

Review Questions 

1 ■ Distinguish between a prime and a composite integey. 

2. ^fi^uienieamngofrflfe/r^/y^W^prim^; 

3. Define the following functions and their application * 

a. n{n) function ^ \ 

b. Eider 1 !! totient function V_ 
4- Stpiai n the sieve of Eratosthenes and its application. 

■5. ^firteFermat's little theorem and explain its appyoation 

6. Define Euler's theonjm and explain its application. 

7. What are Mersenne primes? What are Ferraai primed r~\ 

J IMM«n*«i determMstic and probabilistic algorithms for p^SJity te stin £ 
3. List some algonthms for factorization of primes. ^ 
10- Ce fine tl,e Chinese remainder theorem and its application ' ~ 



Exercises 

1.3. Using approximation, find 

a. the number of primes between 100,000 and 200,000. 

b. the number of composite integers between ioo,000 and 200 000 

' ^ttltlClO 5 10 ^ * *" af ™ ^ e - -P- it .o .he 



A SECTION 9.10 PRACTICE SET W> 

. Wmlm™' nd thc latgcst prin,e fac,or of I01 ' w 

^Jf* ever,- prime is either g, tllc fom 4 , + , or 4Jt + 3 ^ & ^ . ^ 

lf> ' S^eSr Sn * 5 * + ! " 5k + 1 5 * + S 5 * + 4 < * here ! I ■ 
17. Fin^j- value of ^29). +C32). WSO), Q< 1 00), $(101 >, 

I «- Shew 2* - J and 2*- 1 are composes, hint; Usc tnc cxpailsitjn of (fl 2 „*, 

L3STf al ^ *« 2 can fctfMft i ft* sum of 

two pnnM&^ba* this conjecture tor 10, 24, 28, and 1 00 

21 - Find the nsoli^Fthe following, using Fermat's little theoifinv 

a. S i3 mod 13 

b. 15 l£ modl7 

| 456 n modl7 V\, 
d, ]45 102 rnod 101 ^\ 

22. Find (he results of the fo^ng, using Fermat's little tteorem- 

a. 5 1 mod 13 \ 

b. IS^mudt? ® 

c. 27"' mod 41 • > 

d. 70" 1 mod 101 O 
Note that all moduli are primes. X 

23. Find ihe results of the following, usinfLer's theorem: 

a. 12 1 mod 77 

b. l6 _I mod323 

c. 20 H mod403 *\) 

d . 44 " 1 mod 667 O 

Ntte that 77 = 7X11,323= 17* 19, 403 = 31 ^? 3( and 667 = 23 x 29 

M ' S^rITa^" ^f 011 ^ Meisenne primes ifife, 

M jl. Hint Any divisor of a Mersennc number has ttkfWi 2*/7 + 1 

» Writ, »mc examples tolho w lh al if 2"- I is a prime, fiu, is a prime Can this fact 
be used for pnmaljty testing? lixpl ain. <d> 

26 ^ mai ' y ° f ^ bfe ^rs pass me Fermat primality test- 100 

I JO, 1 30. 150. 200, 250, 271, 341, 561. Use base 2. * ' 

2? " 5? ™^ iT^f f0]kW1 ' lg integC,S the Mil ^-^"in primalitv te.tr 
100. 1 09. 201, 271 , 341. 349. Use base 2. 



F TEH <i MA Ti SEMA Tj&OF CRYFHXsRA PHY 

4* 

2*-), Use vr = 2, ,t =^3, and a few primes to show thai if/? is a< primc T the following 
congruence {x - - (uiod p) holds. 

30, [t is SlIIcL J hat the Mt^mime can be approximated a.% p n ■■= rclrUL Check this with some 
prunes. ^ 




3 1 . Fu id the vaJ ue of .t f or 1{j£<$"il 1 n wi n.g sets of congruence u si ng the Chinese re n ui i rider 
Jheorem. 



a. .r = 2 mod 7, and .r = 3 >ffiid-y 

b. .v te4 mod 5. and * = 10 n*Mi 1 1 
e, x ~ 7 [nod I !1 and .t = U rtw 12 



32. Find all QRs and QNRs in Z^*N5%* a and Z 23 * 

33. Using quadratic residues, solve ihe^tf llu-v/ing congruenceSi 
si, x 2 m 4 mod 7 J< 

b. x 1 = 5 mod 1 I C 

c. r = 7 mod 13 

d. jc- = 1 2 mod 1 7 C\ 

34. Using quadratic residue^ solve the tbllowiugYO^iueuCt;*; 

a. x~ = 4 mod 34 \ 

b. x* = 5 mod 10 

e. x = 7 mod 33 • \ 

d. .^=12 mod 34 tj 

35. Find the result of the following using the square-and-n^ntsply method. 

a. 2l 24 mo<18 O 

b. 320 23 mod46i ^ 

e. 1736 41 mod 2 ] 34 \§\ 
± 200 1 mod 2000 v^) 

36. For the group G - <Z 1 5 ^ x >: Q 

a. Find the order of the group. ^ 
b- Find Lhe order of each element in (be group. # 

c. Find the number oF primitive roots in (he group. ^\ 
d 4 Find the primitive rools in ihe group. 

e, Show chat the group is cyclic. vO. 
f_ Make a table of discrete logarithms. 

37. Using the properties of discrete logarithms, show how to solve the following 
congruences: 

a. v 5 = II mod (7 

b It 11 =22 mod 19 

c. 5x ]2 +6x = 8 miid 23. 



SECTION 9. 10 PRA CTICE SET 231 

% 

^SH. Assume that you have a computer performing 1 million bit operations per second. 
# You want to spend only 1 hour oti primality testing. What is the largest number you 
<r^\ean test using the following primality testing methods? 

v^j) divisibility 

I^^KS algorithm 

c. yP^iiiat 

d. scribe, root 

e. Mnj^Rabin 

39. Assume {Jak you have a computer that performs 1 mill ion hii operations per second. 
You want^ii spettd only t hour on factoring a composite integer. What is the largest 
number yoi^D factor using the following factorization methods? 

a. trial divisiewf 

b. Fermat 

c. Pollard rho x 

d. quadratic sieve \ ^ 

e. number field sic vex . 

40- The square-ajid-niu)tip]?>£^ exponentiation algorithm allows us to hah the program 
it the value of the base bojpmes 1, Modify Algorithm 9.7 ro show this. 

41 . Rewrite Algorithm 9 J to tei^e hits in the exponent in order of the most significant 
tq bast significant. # 

42. The square-and-mulliply fast e*j5^eut.iation algorithm can also be designed to test 
whether the exponent is even or [HlpAnstead of testing the bit value. Rewrite Algo- 
rithm 9.7 to show this. ^ ^ 

43. Write an algorithm in pseudocode fort^Fermat prima Iky 

44. Write an algorithm in pseudocode forNtfe square root primality test. 

45 . W rite an a3 gori thm i n pseudocode for th^Ojbiese remainder thcore m, 

46. Write an algoritlmri in pseudocode to find QjOnd QNR for any Zp*. 

47. Write an algorithm in pseudocode to find a prmjjrivc root for the set Z,,*. 
Write an algorithm in pseudoctHle to find all primitive roots for the set Z^*. 

49. Write an algorithm to find and store the discrete ifig^ubnis for Lhe set Z p *. 







etric-Key Cryptography 

This chapter has se\$&] objectives: 

□ To distinguish bctM^j^mmeWc-key and asymmetric-key crjptosystems 

□ To introduce trapdoor one-way functions and their ua 
key cryptosystcms \\, 

□ To introduce the kjiaps'ack cryptosystcm 
asymmetric-key cryptography 

□ To discuss the RSA cryptosvs^m 

□ To discuss the Rabin ci^ptosyihi 

□ To discuss the EIGamai cryptosmcm 

□ To discuss the elliptic curve crypttp^stcm 

This chapter discusses several asymrf&ric-key cryptosystems- RSA 
Rabin. EIGamai, and ECC. Discussion eQie Diffie-Hellman eryptosys- 
tern is postponed until Chapter 15 bccausO is mainly a key-exchange 
algorithm rather than an encryption/decrypti^algorithm. 



use in asymmetric- 



><s out: of the first ideas in 



The Diffic Ilelimati cryptosystem is discussion Chapter 15. 



10.1 INTRODUCTION 



<3T 



In Chapters 2 through 3, we emphasized the principles of symmetric-key cryptography 
In this chapter, we 5t art the discussion of asymmetric-key cryptography. Symmetric- 
aid ajynunctno-ltey cryptography will exist in parallel and continue lo serve the com- 
mumty. We actually believe (hat they are complements of each other; the advantages of 
one can compensate for (he disadvantages of the other. 




10 AtmklEl r RlC-KE¥ CRYPIOGEAPHY 



4*. 



- 

■ 



The conceptual differences between the two systems are- based on bow these sys- 
tems keep a Secret, In symmetric-key cryptography, the secret must be shared between 
two persons . jki^^nielTit>key cryptography* the secret is personal (unshared); each 
person creates atfpSeep^ his or her own secret- 
in a confimuni|JJv£)f n people* n(n - I V^- shared secrets arc needed for sytnmeJric-key 
cryptography; only tymrtion&l secret ait needed in asymmetric-key cryptography, For 
a com mi i nicy with a pt™klbn of I million, symmetric-key cryptography would require 
half a billion shared s.ecf£tSL asymmetric-key cryptography would require 1 million 
personal secrets. Vv 

, 

Synnuetrk-kS^cryptography is ba^il yn sharing secrecy; 
yxym miriric- key ^i^tn graphy is. based on personal secrecy. 



There, fire some other aspects o^^urity besides cncipheTment thai need asymmetric- 
key cryptography, These include auiftenliptioTi and digital signatures. Whenever an appli- 
cation is based on a personal secret, wenepd.to use ^yiuifle&ric-kuy cryptography. 



Whereas symmetric- key cryptography is based on substitution and permutation of 
symbols (characters or bits), asymmetric-!^ crypto^aphy is based on applying mathe- 
matical functions to numbers, Tn symmetrically cryptography, die plaintext and cipher- 
text are thought of as a combination of symbol^ Encryption and decryption permute 
these symbols or substitute a symbol for another. Tn asymmetric-key cryptography, the 
plaintext and csphertext are numbers: enei^pfionj&nd decryption are mathematical 
functions that arc applied to numbers to create oErt^iimnbers. 



I n sv'mnietriokey cryptography T symbols are permu ti.^Jj)r a ubs t it i iU:<l ; in asymmetric- 
kv.y Lx-ypto^i-aphy, numbers are ma^f^nlated. 



encryption and decryption are thought of "as locking and unlocking padlocks with keys, 
then ihe padlock that is locked with a public key can be unlockeiVmty with the corre- 
sponding private key. Figure 10*1 Shows that if Alice locks the padlac^^Jth Bob*s public 
key, then onlv Bob's private key can unlock it. ^ 

General Idea 

Figure 10.2 shows the general idea of asymmetric-key cryptography as used for enci- 
phermenl. Wc wi ll see other applications of asymmetric-key cryptography in future em-p- 
lers: The figure shows rhat n unlike symmetric-key cryptography, there are distinctive 
keys in asymmetric -key cryptography: a private key and a public key- Although some 
hooks use the term secret key instead of private key, we use the term secret key only for 
symmetric-key and the terms private key and public key for asymmetric key cryptogra- 
phy, We even use different symbols to show the three keys. One reason is that we 
believe the nature of the secret key used in symmetric-key cryptography is diiTcrcnl 



SKCnON i 0. 1 INTRODUCTION 295 




^gurC 10,1 i&ckmg And unlocking in asynunetrie-kft erypiaxvA'fern 




The public key lihL-Ln: Ihe prFvulc key unlocks 



Cu i n:ziu meat ion d«r«:tioin 



Bob's' 
private key 




Rob 



$ 

t* igur« 10.2 Gmerat idea r^Faj 



Akce 



public v 
+ * + 



Boh 



i 



Public -»i.tis^iife^bu I i cm 









i 








: toy ^ 














1 — *■ 


tnurvption j— ^^^j 









Key-^citemtjon 

-.'l-h:idn:t- 



Piivalc key 
decryption j ^^ P ^ 



Kluintcxl 



from the nature of the private key used in asymmetric-key cryptography. The first is 
normally a string of symbols (bits for example), the second fesi. number or a set of num- 
bers, Ln other words, we want to show that a .recrcf keyGX^l exchangeable with a 
private key; there are two different typjg of secrets, vj> 

Figure 10,2 shows several import^ facts, First, it emphasises the asymmetric 
nature of the cryptosyatem, The burden of providing security is mostly oti the "shoulders 
of the receiver (Bob, in tfiis case). Bob tfeeds to create two keys: ore private and one 
public. Bob is responsible for distributing the public Key to the community. This can be 
done through a public-key distribution channel Although this channel is noJ required to 
provide secrecy, it must provide authentication and integrity. Eve should not be able to 
advertise her public key to the community pretending that it is Hobs public key. Issues 
regarding public-key distribution are discussed hi Chapter l& For the moment, we 
assume that such a eh^miel exists. 



CHAPTER JO ASY^^TRIC- KEY CR YP'KXJRAPHY 

Second,1^mmetrk-key cryptography means thai Bob and Alice cannot use the 
Same Set of kejs for two- way awimunicalinn. Each entity art the community should 
create its own pri^S^and public keys. Figure 10-2 shows how Alice can use Bob's pub- 
lic key to sefld ctiSmKcd messages to Bob. If Boh wanU Lo respond^ Alice needs to 
establish her own pnFsfc and public keys. 

Third n asymmcLnq^k^' cryptography means that Bob needs only one private key to 
receive all eorrespondeti^front anyone in ihe coinmtinity, but Alice needs n public 
keys to communicate witk\{en,tides in dae community^ one public tey for each entity. 
In other words, Alice needs\^/ing of public keys. 

PlamtextJCiphertexi y> # 

Unlike in symmelric-kcy crypio^f^hy. plaintext and eiphertcxt arc treated as integers 
in asyrnrnetric-key cryptography. T^rjpaessage must be encoded as an integer (or a set 
of i ntefiers) before encryption; the imager (or [be set of integers) muse be decoded iiilo 
the message after decryption. AsynWneicic-kcy cryptography is normally used tn 
encrypt or decrypt small pieces of information* such as the cipher key For a symmetric- 
key cryptography. In other words, asymn^uic-key cryptography normally is used lor 
ancillary goals instead of message encipherjjj^flt, However, these ancillary goals play a 
very important role in cryptography today. 

Encryption and decryption in asymnietric-key cryptography are mathematical functions 
applied over the numbers representing the plaintext antrcmhcrtexL The ciphertext can be 
thought of as C =/ (Kp Uh! j CB P); the plaintext can be lhoX«ght of as P = ^K^aie- C). The 
decryption function/ is used only for encryption; tbc riea^hdon function g is used only 
for decryption. Next we show that the function / needs to ht^tfapdtwr one-way jiincttoti 
to allow Bob to decrypt the message but to preveflt Eve from dtfiyg So. 

Nt;t!d for Both O 

There is a very important fact that is sometimes inisunderslood: The a(|vcnt of asymiiietric- 
key (public-key) cryptography does not eliminate the need for symmetric-key { secret- 
key } cryptography. The reason is that asymmetric-key cryptography, wktfch uses mathe- 
matical functions i'or encryption and decrypdon, is much slower thairii^mrnetric-ki:y 
cryptography, Foreneiphennent of large messages, symmetric-key cryptogjWiy is still 
needed. On the other band, lite speed of symmetric- key cryplography does nfjpeliminatc 
the nee-d for asymmetric- key cryptography, Asymmetric-key cryptography ss fftill 
needed for authentication, digital signatures, and secret-key exchanges. This means 
that, to be able to use all aspects of security today, we need both symmetric -key artel 
asymmetric-key cryptography. One complements the other. 



■ 

TYapdoor One- Way Function 

The main idea behind asymmetric-key cryptography is the concept of the trapdoor one- 
way function. 



SfCCttON /a 1 INTROD UCTfON 297 



unctions 

Although the concept of a functicin. is. familiar from mathematics* we give an 
infanaaAl definition here A function i& a rule that associates (maps) onv clement 
lei setm x caJled the domain, to one element in set B, called the range, as shown in 
Figurc^S^ 

0 

Flglire fi\fun<:licm ti.t mic mapping athmain Jo & runtfe 




An i avertible function function that associates each clement in the range 
with exactly one element in Oie d^Ejain r 

Onp.-Way I' unction % ^\ 

A one-way function (OWF) is a funcliojpthat satisfies die follow mg two properties; 

1 . / is easy to compute. In other wor Jfc^given x, y -f(x) can be easily computed. 

2. / _1 is difficult to compute. In other woNp, given y\ if is computationally infeasible 
to calculate x=f~ l {y). 

Trapdoor One-Way Function 

A trapdoor one-way function (TOWF) is a oneW function with a third property: 

3. Given v arid m trapdoor (secret), x can be computed easily. 

Example 10. 1 O 

When it is large, rz =px^n one-way funcdon. Note that in (Sanction X is a tuple (p, q) of 
two primes mdy ijs n. Given p and q, it is always easy to caltulatt^^^iven it, it is very difficult to 
compute p and q r This is \hc fitctorizativn problem that we saw in Chapter 9. There is not a poly- 
nomial time solution to I he/" 1 IXhilMUmi in this case. 

Example 10 J 

When n is large, the Tuhilipn y = mod n is a trapdoor one-way funt-Uotu Given x, k* and n, it is 
easy to cakuluse * using ifw fast exponential algorithm we discussed in Chafer 9. Givcny, ft and n r 
it is very difficult to calculate x This is the dLscrste hgarithm pmbtem we discussed in Chapter 9, 
There is nnl a polynomial time solution to rhe/~ fc funcdon ill iliis ease. However,, if we know The 
trapdoor, X such that k x *' = 1 mod 4(n)i we can use Jt - mod n to find x. This is the famous 
RSA. which wiE I be discussed Inter in diis chapter. 



« H 




"HAPTEN. 1 0 AS YMbfXlKtC KEY CR YPt 'OGKA PHY 



4> 



Knapsack Cr^ptosysEem 

The rin-;i brilliani f public-key cryptography came from Merkle and Hellman, in 
their knapsack crytfmsystem. Although this system was found to be insecure with 
today's standards, the ro^m idea behind this cry ptosy stem gives an insight into recent 
public- key cryptosystem^^sciissed larer hi this chapter. 

If we are told which tfesuents* from a predefined set of numbers, axe in a knapsack, 
we can easily calculate iheSiVm 1he numbers; if we are told the sum, U is riillicuU to 
say which elements are in ihtijiiapsack. 

Definititm \^ 

Suppose we are given two A-tupl&$^a = and x = L*j, x^. x^]. The 

lirst lUptc i s. the predefined set; ihc^^und tuple, in which .r ? is only 0 or 1, delines 
which element of a are to be droppe^in the knapsack. The sum of elements in the 

knapsack is 

V 

Given a and _t, it is easy to calculate s 1 . How^er h given $ and u it is difficult to find 
x. In other words, s = khtipmckSttm (x, a) is easy ^^alculate. but x = irtvJ?mp.racfcStwn 
(s H a) is difficult. The function knapsackSum is a one -way ("unction ii" a is a general 
k- tuple. 

Superincmti&ing Tuple 

It is ensy to compute knapsackSum and im^knapsackS^ if the £-tuple a is super- 
increasing. En a supcrincreasing tuple, a a ->fl] ■+ %+^©Ml4li In other words, 
each element (except #j ) is greater than or equal to the sum ot^k. previous elements. In 
this ease: we calculate kmipsackSum and inv_knapsackSum as sju^ji in Algorithm 1 0.1. 
The algorithm invJznaps&ckSam starts from the largest elem&fti and proceeds to 
the smallest one. In eacb iteration, rt checks to see whether airetemcnt is in the 
knapsack. \ 



Algorithm 10- 1 knapsacksum and inv_kntip.tat:kXttm fifr a supermcreasing k 




SECTION JO. I INTROD UtTfGN 2*TO 



F-tumpk? 10,3 



a very trivia] example, ^urne [hat a = [17. 75> 4o H 94. 2(H n 4tK3] ciekI | * 272 are given. 
^>!G. i shnw* luiw the tuple .t is mmd using inr_Wp5ficfcSiiwi routine in ASgorishm tO.I , 



6 



400 



303 



yd 



i 



272 



272 



7] 



73 



25 



0 



false 



false 



tr«c 



1mc 



false 



x 6 = Q 



Jt> = 1 



jt'i = 0 



,T 3—a.XX; 



272 



71 



71 



25 



0 



0 



In this cast a* — [0> I Xo^. 0|, which 



means Efiat 2ft 4f> f md 201 are in the kiiaiwaek. 



Secret €ommumcati&rt wiff^fCnap packs 

Let us see how Aitee ijan seii^aWrcl message to Bob using a knapsack cryptosysterrL 
T]se idea is shown in Figure, lOl^D 



Ftguru U)A Secret ct/ms?i.>inini- f iai\ iitm kftupmck *;rypio$ystem 




O 



Alice 



+ + 



To public 



i~)ScUh:L modulus ri and r- 



t 



j — i 

Plaintext 



Encryption 



C-iphcrtp jet. J 



Key gmeratiOTi 



x = permute {/) 



Boh 

A. 



PIqeiiLc^L 



DccrypUdfl 



Key Generation 

a. Create a superiEicrcasing Jfc> tuple i =x [fr lT ft^ tjtJ 

b- Choose a modulus u. such that u > ft L +- £ 2 + 1 J ^ + b% 




HAPTF.R 10 ASYMMZfRfC-ICEY CRYPTOGRAPHY 



4. 



c, Select a rancjpin integer r that Is relatively prime with n and 1 < u -1. 

d, Create a tenap^fev t-tuple r-[^r 2 y in which /,- = rx ^ mod n, 

e. Select a penriutafraa of Jfc objects and find a new tkxple a = pe/mufe (t). 

f. The public key is UjT^-tupb a. The private Jcey is n, r, and ihe it-tuple b, 

eryptwn ^(^\ 
Suppose Alice needs to seno aosaessage to Bob- 

a. Mice converts her messftjrptLo a fc-tuple Jt-= [jt^ jcj,..,, in which x,is ciOier 
0 or 1. The tuple x is ihe plarnte^t. 

b, Alice uses the kmpsackSum mnjne to calculate j. She then sends the value of * as 
the ciphertexL 

Decryption ^\ 

Bob receives the- eiphertexE 

a. Bob ealeulates ^ ?s r~ L x : ^ mod n. ^ 

b. Bob uses inv_htapsackStm to create x\ 

c. Bub permutes x lo find r The tuple x is tbe^joveied plaintext. 

Example 10.4 $ 

r iliLb ia a trivial (very insecure) example just io saow the pjraprfjic. 
L . Key generation: \J . 

a. Rob cieatcs the superiftereasing tupEe b = [7 n 11. 19 b 3^79, 157, 313]. 

h. Oob chooses the inodulus n = WO and r ^ 37, and [4 2 7 6] as permutation table. 

c. Gob rvo w calculates the luple f = [259, 407 T 703 T 543 h 223 781 t. 

d, Bob calculates the tuple a = permute (/) ^ [543, 407, 223. 70^59, 781, 4G9) P 
^. Gob public jy announces n* keeps n t r t and b secret 

2. Suppose. Alice wants to send a single charter "g" to Bob. 

a_ She uses the 7-bk ASCII r* presentation of 1 Y\ ( 1 1001 1 3, ^ and creaiei(the tuple x - 
[1 , 1 r U, i) r I , I. I]. This is the plaintext v. 

b Alice ealculates s = knapsackSumfa x) = 2165, This is the ciphettoi ftnt to Bob. 

3. Dcib can deciypt uit dphcrtcxt, s - 2165. 

a. Bob calculates .v J = j- x r -1 mod n = 2 J 65 x 3T 1 mod 900 =527. Q 
h. Rob calculates & = friUEna/uddt.Vuin 6) ±= [1 . 1 T 0, 1 ,. 0, I h 1 ]. 

| Bob calculate * = ^frrou/* ^^11,1.0,0,1,1, ]J,He interprets ihe suing ([fpOl I I ^ 
iif. the character *g*\ 

ZViff^itotfr 

Calculating the sum of items in Alice's knapsack is actually tbq multiplication of the 
row matrix x by the, column matrix n. The result h a 1 x 1 matrix s. Matrix multiplica- 
tion, i - r x a, m which * is a row matrix and a is a column matrix, is a one-way func- 
tion Given s and x f Eve cannot find a easily. Bob T however, has a trapdoor. Boh uses 
his s' = r~ x $ and the secret supermcrea^ing column matrix h to find a eow matrix x* 
tisin^ the jmr_buTp.fac J t&7Tr umtine. The permutation allows Bob to find x from x\ 



SECTION 1(12 RSA CR YPTOS Y&TEM 



40*2 RSA C R YFTO SYSTEM 

il>Bfost common public-key algorithm is the RSA cry ptosy stem, named for its 
invent^ (Rivest^ Shamir, and Adleman). 




RSA uses exponents, t ? and d. where is. public and ft is private, Suppose P is the 
plaintext and\p*is the ciphcrtcxL Alice uses C = P c mod ti to create cipher-text C from 
plaintext P; Botujs^s P = niod n to retrieve the plaintext sent by Alice. The modulus n s 
Li very large ruii^li is created during the key generation process ■ as we will discuss later. 
EncrypLion v ^pil decryption nse modular exponential ion. As we discussed in 
apier !), tiiudular^JjonenLjation is feasible in polynomial time using the fast expo- 
Kenti at ion algorithm.^ waver, modular logarithm is as hard as. Factoring the -modu- 
lus, for which there isj>» polynomial algorithm yet. This means that Alice can 
encrypt in polynomial nrruWe is puhEic), Bob also can decrypt in polynomial time 
[because he knows d), btk F^-e cannot decrypt because she would have to calculate 
[he e th root of C using motl^kfr" arithmetic. Figure 1 0-5 shows rhe idea, 



Figure 10,5 Complexity of operations in RSA 



Alt™ 

SL 



!~C = P f 



mod tt 



Polynomial 




J. 



«6 

c o 



Polynomial 
( £\ mj si rzx i i v 



V -- t'. Vl mod n 



Insecure channel! 



o 

In other words, Alice uses a. one-way function fm{J3^1ar exponentiation) with a 
trapdoor known only to Bob. Eve, who does not know therfj^door, cannot decrypt the 
message, If some day H a polynomial algorithm, for eth rotSl modulo n calculation is 
found, modular exponentiation is not a one-way function any more. 



Procedure 

Figure 1 0.6 shows the general idea behind (he procedure uF.ed in RSA, 



KoA uses modular exponentiation tor encryption/decryption; 
Tu attack it, Eve needs to calcuLaU: ^/c mot! n h 



™ PTEk 1 0 A SYM^miC KEY CRYPTOGRAPHY 




4* 



Figure HLfi Encryption, decryption, and key generation in RSA 



Alio; 
3. 



T<j pub I ic 



C = P* [nod n 



Encryption 5^ 



Twu Algebraic Structures 




Bob 



Key calcuLiui™ in 



P«C J [UQd#l 



D^-r\"pr|oji b 



f 

Plain [est 



A uses (wo algebraic structures: □ ring and a group. 

Enciypiion/Diicrj Ptiou Ring lincrypiion and deeryj^n are done ustng the com 

T lat,Ve nng R = ^ + ' X > wi,b tw " af] thmctic operation addition and multiplica- 
tion. In RSA, this ring is public because the modulus n % public. Anyone ti, send a 
message u> Bob using this ring to do encryptio ti . 

Key-Generation Group RSA uses a multiplicative gTouptty <Z*, x > for 
key generation. This group supports only multiplication and $U on (using multi- 
pl mauve inverses), which are needed lor generating public aifMiyate keys Tbis 
group Is hidden from the public because its modulus, i s hid<U from (he pub- 
lic. We m see shortly that if Eve can find this modulus, she can <&hv attack the 
cryptosysteui. 



KSA uses tum jdf>ebraic structures: 
a public ring R = <Zff, +, x> and a jwfcafe gnwp C» = <Z« ri «, X 



Key Generation 

Bob uses the steps shown in Algorithm 10.2 to create his public and private key Alter 
key Jjcnerauon, bob announces the tuple (e. «) as his public key; Bob keeps the integer 
* as his private key. Bob can discard p, q , an d <K«); they will not be needed unless Bob 
needs to change hi* private key without changing the modulus {which is not recom- 
mended, as we will see shortly), lb be secure, the recommended size for each prime a 

1024 btts (j(59 digits). 



A SECftONlO.2 RSA CRYPTOSY.STEM 303 

Algorithm 10.2 RSA Key Generation 



Seti^ywo large pnmcs p and § such Thai 

Select $ri/ft>jhat I < < (|j{/t) and ^ is coprimc lu O(n') 

J <- _l mDd^(fl) // d is inverse of £ tikhJliIu 

Fublic_kcy // To be announced publicly 

Piivatejcey * - " ^° ^ ^ c P l 

return PiibKc_keyxIndPrivate_lwcy 

' ^ - — 

I ei KSA, the tupleK^, jl) is the public Key; tbe integer rf is the private key, 



Encryption 

Anyone can send a message to<6ob usinjj. his public key. Encryption in RSA can be 
done using an algorithm with poly^nia] lime complexity, as shown in Algorithm 10.3. 
The last exponentiation algorithm was discussed in Chapicr M. The size of the plaintext 
must he less than which inttins ihpfSf the sis&c of the plaintext ts larger than h 

Al^irithm li).3 KSA encryption 



should he divided snLo blocks. 



^Encryption (R e, n} //^j^dic plaintext in 2* a™* p * * 

C *- Fast_Kxponentiation (P b c. n) If C^^tmion of (P* mod n) 
return C 

i 



Decryption • 

Bob cats use Algorithm 10.4 to decrypt the ciphcricxt m£s^>ge bo received. Decryption 
in RSA can be done using an 'algorithm with polynomial ©e complexity. The size of 
the ciphertcxt is less than n. Vp 



Algorithm 10.4 RSA decryption 



RS A_ Decryption (C t a\ n) f/C & (he dpSiertcxE in Zy, 

I 

P <- fast KxpuntmlialiuiiCC^H) // Calculation of (C* mod jt) 
return V 

1 ' 



In KlSA.p and q must be at least 512 Wl*; fi must be at least 1U24 bits. 



'HA PTfiR tO AS YMAtEfitfC- KEY CR YPTOGRA FH V 




4. 

Proof of RSA 

We can prove TJiat-^feryption and decryption are inverses of each other using ihe sec- 
ond version of friler^raeorein discussed h Chapter 9: 

If ft = p x fl^a*^ n, and £ is an. integer, then t/^' 1 ^ ■ a (nsodiij: 

Assume that the plntnte^-^lricved by Bob is P x and prove that Ilis equal lo P. 



= mod n = (P e mod nf jnalui n P.** mod n 



ed a i^ft) + 1 \ v ■ // dand * ^e inverse nkxtulo Ejti» 

?! = Pernod a 4'^:= ^ >hL tuo53^) . . 

p i p mo< j p mod n f C\ ' //Fuser'fi userirm'tse^^ 

Some Trivial Examples 

Following are some trivial (insecure) exanipte>>of the RSA procedure. The criteria thai 
make the RSA system secure will be digcusscckm^he Satet sections. 

Example 10.5 

Bob chooses 1 and 11 as j? and q and calculates n = 7 X 1 1 ^ 77,The value of - (7 - ] )( L [ - 1 ) 
Of 6(1. Now he chooses lwn cs.p<mi:TiLK, e und ef, from Z^*.*W*ftc chooses f In be 13, then d i* 37 r 
Nsyte thai mod <"i0 - 1 (ihcy arc invttrse.£ of Gach olJner^ N£w imagine that Alice wants lo 
send I he plaintext 5 to Boh. She uses the public exponent ! 3 nXeucrypt 5. 

O 



PlaintEJtt: S' G = 5"=26mwJ77 ! v^.Ciphertrat-M. 

Boh receives the cipnertext 26 and uses the private key 37 to deSJ^ae) the ciphertext: 

O 



item:?* P^2(^=SmodT/ S\ Plaintext: 5 

The plaintcsl 5 sem by Ante is received as plaintext 5 by Bob. 
Example i 0,6 ^ 




ISfow assume that another person. John, want* to ser.d a message to Bob. John can ust the same 
public key announced hy Bnh fprobahly on his wcbsite) 4 13; John's plaintext is 63- Jnjia calcu- 
larcs the following: 



aintexL d!i 























P : 




-: 





Bob receives ibe uphenexz 28 and le^-l:?. htf, private key 37 lo decipher the eiphenext; 
Ophcrtcxc 2&= . P = = 63 mod 77 . Plaintext: -63 



SECTION 10. 2 RSA CRYFTQXYSTEM 



J4)5 



'Example W.7 

* Jennifer creates a pair of keys for herself, She chooses p - 397 and = 401. She cskulales 
x 401* 159197. She then calculates $(«) = 396 x 400 = 156400. She then chooses 
f ^^.i nind fif = 12007, Show how Ted can send a message to Jennifer if be knows c and n. 

Supt>y^Jed wauls to send the menage """NO" to Jennifer, He changes cndi character to a numb ex 
% Ccciiei ■:"'U ;u -.s-iL each l- i i n racier coded as lw*> dijiiis Uit:ri i: untitle nates the i*.? cuded 
character ap^cts a four-di^it nuniher. The plaintext is 1314. Ted then uses e and n id encrypt 
[he mcssag^nTac ciphcneM is t3J[4 - 33677 mod 159197. Jennifer receives The message; 
53677 and us£s^e decry prion key d lo decipher it stf 33677 a20ff? =1314 mod 159197. Jennifer 
ihtn decodes 13^& Mi* message "NO". Figure 10,7 shows 



the process, 



Figure 10.7 frtirowfrari and decryption tn Example fO. 7 



Ted 



"NO" 



Encode 



P= 1314 




Jennifer 

a. 



"WO" 





L 1 «.■:«.: LwJf- 1 


iP- 1314 


L 



Attacks on RSA 

devastating attacks on RSA have ft i vet discovered. Several attacks have been 
predicted based on the weak plaintexl\j^iak parameter selection, or inappropriate 
implementation. Figure 10.B shows the eateries of potential attacks. 

*6 — 



Figure I (KB Taxtmumy of putcntitil attacks on RSifQ 



Factorization 



Ch^cn-cijihertcjit. 



o 

o 



Potential attacks 



Encryption exponcni | ^ ftnd sh[)rt pad 



Decryption caponcm] Revealed aiul ]ow cxponcm 



Pkinsext 



Modulus 



J Short uraSftgd cyclic. and unconcealed 
J Common fnoduttks 



LiipleiV-en^itin-r: 1 Timing and power 




iA FfER 1 0 A S YA tSflWG* KEY CT YPTQGRAPH Y 



Factorization Attack 

The security of RSj^Ji based on the idea [hat the modulus is so Jarge that it is in-feasi- 
ble to factor it in a r^rabnahle time. Bub selects p and q and calculates n - p x q, 
Although H is public,. )V4Hd q are seem. If Eve can factor n and obtain p and she 
can calculate §{n) - {p ~ ^ ^ Vfi l ^en can calculate ^ = C mcj ^ because 

e is public. The private exponent d is the trapdoor that Eve can use to decrypt any 
encrypted message. . 

As we learned in Chaptei(^) there are many factorization algorithms^ but none ox 
them ean factor a large integer ^tfijh polynomial time complexity. To be secure* RSA 
presently requires that n should tffc npre than 300 decimal digits which means that the 
modulus must be at least 1024 bjtXjjren using the largest and fastest computer avail- 
able today, factoring an integer of u&k siie would take an infeasibly long period of 
lime. This means that RSA is secure ^jVng as an efficient algorithm for factorization 
has not been found. ^ 

ChvsiiTi-t ipfi ertext Attack x 

A potential attack on RSA is based on the multMicative property of RSA. Assume that 
Alice creates the cipbertext C =s P 4 ' mod n and s£j»ets C to Bob. Also assume that Rob 
will decrypt an arhiirsiry ciphenext tor Eve. othcrQhan C Eve intercepts C and uses the 
following steps to find P: 

a. live chooses a random integer X in Z fl *. • » 

b. Eve calculates Y = C X X* mod 1st. \) 

c. Eve sends Y to Bob for decryption and get Z = Y*' ity*<fn\ This step is an instance 
of a choseti-ciphertexl attack. Q 

d. Eve can easily find P because 

Z - Y J miocI ^{Cx X*) rf mod n = (C* x X^) mod n = {&x X) m'od^^P x X) mod n 
Z = {PxX)modrt -> P = Z x X" J mod » 

Eve uses the extended Euclidean algorithm lo find the multiplican\c inverse of X 
and eventually the value of F. • 

O 

Attacks on the Encryption Kxpunvnt Q 

To reduce the encryption time, it is tempting to use a small encryption expon^Hj^, The 
common value for e is e = 3 (the second prime} However, there are some potential 
attacks on. low encryption exponent that we briefly discuss here. These attacks do not 
generally resuli in a breakdown ol" the system, but I hey still need to be prevented, To 
thwart these kinds of attacks, Uie recommendation is to use e = 2 3 ^ + 1 = 55537 (or a 
prime close to diss value). 

Coppersmith Theorem Attack The major low encryption exponent attack is referred 
lo as the Coppersmith theorem attack. This theorem states daat in a moduln-n polyno- 
mial f(x) ol degree e T one can use an algorithm of the complexity log r to lind the 
roots: if one of the roots is. smaller than n 11 *. This theorem can be applied to the RSA 



SECTION 1Q.2 RSA CRYPTQSFS'l'EM 307 

\ , - 

.cryptosystem with C =/(P) = P* mod iz. If g _ 3 and only two thirds of the bits in [he 
# ^rj^aintext P art known, the algorithm can find a]] bits in ths plaintext. 

Bl^adcast Attack The broadcast attack can be launched if one entity sends the 
<iij^nicsxage to a ^cup ®t rfe^piisnts with the same low encryption exponent. 
exan^^ T assume [he following .scenario: Alice wants to send the same message to three 
rcdpirfUs with the same public exponent e=% and the moduli n 2 , and "3- 




C 1 Vr' mwl 1 • = P 3 mod n 2 £g = Tnod 

AppIyin^The Ch mcse remainder theorem to these three equations,. Eve can find 
an equation aJ^ile form C = P 3 mod n^n^ny This means that P 3 < n^fl^. This 
means C'ss P 3 regular arithmetic (not modular arithmetic). Eve can find the 
value of C = P U3 .(\ 

Related Message Atb(jck The related message attack, discovered by Franklin Reiter t 
can be briefly describ^as follows. Alice encrypts two plaintexts, Pj and P^ t and 
encrypt them with - 3 (fri^l sends C] and to Boh. If P 1 is related to P z by a linear 
function, then Eve can reco^€^P L and P^ in a feasible computation time, 

Short Pad Attack The sho^taid attack, discovered hy Coppersmith, can be briefly 
described as follows. Alice has atmessyge M to send to Bob. She pads she message with 
r L , encrypts the result to get C ]P ttfia sends C L to Bob- Eve intercepts C L and drops it 
Bob informs Alice that be has not receipted the message, so Alice pads the nu^su^ again 
with r 2 , encrypts it, and sends it to Bob^Eve also intercepts this message. Eve now has 
C-! and C 2i and she knows mat they both^re ciphertcxts belonging to the same plaintext. 
Coppersmith proved that if /j and r 2 ai^Hort., Eve may be able to recover the original 
message M. t C\ 

Attacks tin the Deerypiinn Exponent 

Two fxjrrns of attacks can be launched on the d^y prion exponent: revealed decryp- 
tion exponent attack and low decryption exponent attack. They are discussed 
briefly. * ^ 

Revealed Decryption Exponent Attack It is obvi^s that if Eve can lind Lhc 
decryption exponent, tt. she c<m decrypt the enrresu en-.*rj£bted message. However, the 
attack does not stop here. If Cve knows the value of 4ifshe can use a probabilistic 
algorithm (not discussed here) to factor n and find the value of p and q. Consequently, 
if Bob ch ariges only the compromised decryption exponent but keeps the same mod- 
ulus, n, Eve will be able to decrypt future messages because she has the factorization 
of n. This means that if Bob finds out that the decryption exponent is compromised ¥ 
he needs to choose new value for p and $ calculate n, and create totally new private 
and public keys. 



In USA, if if is comprised, then p, q 7 n,e, and d must he regenerated. 



■ 



Law Decryption Exponent Attack Bob may think that using a small private -key </, 
would make Lbe dccr^iuii protest faster for him, Wiener showed that if J < ] /3 n ■ 3 a 
special type of attack b^i^l on ctf/irinHcitf fraction, a tuple discussed in number Sbeory. 
can jeopardize the securit^Mjf RSA. For this to happen, it must be the case that q<p<7q. 
Tf these two conditions exW^ve can factor n in polynomial lime. 

In RS A T the i^ummena^klorLis to have £ I/3^ aM to prevent low decryption 



□oil is 



expement attack* 



v . 

Plaintext Attacks 

Plaintext and cipheriext in RSA are rYc^utauous of each other because they are inte- 
gers in the same interval (U to n - 1). ^jpther words, Eve already knows something 
about the plain text. This characteristic rnay^llow some attacks on the plaintext. Three 
attacks have been mentioned in the liieralu^e^hnrt message attach cycling attack, and 
unconcealed attack. \^ 

Short Message Attack En she short message attack, if Eve knows the set of possible 
plaintexts, she then knows one more piece of hiramation in addition to the fact thai the 
ciphertext is the permutation of plaintext. Eve eanvcncrypl all of the possible messages 
until the result is the same els the ciphertext uitcrceptQl) For example, if it is known that 
Alice is sending a four-digit number to Bob n Eve. can easily try plaintext numbers from 
0000 to 9999 to find the plain text. For this reason, short vHfJ^sa^es must be padded with 
random hits at the front and die end to thwart this type tifWck* It is strongly recom- 
mended that messages be padded with random bits beforefepcryption using a method 
called OAEP, which is discussed later in this chapter. \J 

Cycling Attack The cycling attack is based on the fact the ciphertext is a 

permutation of the plaintext, the continuous encryption of Lhc cipLjrtext will eventu- 
ally result in the plaintext. In other words, if Eve continuousl^A^icrypts the inter- 
cepted ciphertext C F she will eventually get the plaintext. Howe@ T Eve does not 
know what the plaintext is., so she does not know when to stop. She^Seds to go one 
step further. When she gets the ciphertext C again P she goes back one step to find the 
plaintext. 



o 



Intercepted ejphertexe C 
C, = C mod« 

Ci ~ Ck^'j tTLOd n If - C, stopL th& plaintext is P== Cf_j 

Is this a serious attack on RSA? h has been shown that the complexity of the algo- 
rithm is equivalent to the complexity of factoring n. In other words, there is no efficient 
algonthiil that can launch this attack In polynomial time if n is large. 

Unconcealed Message Attack Another attack thai is based on the permutation rela- 
tionship between plaintext and ciphertext is the unconcealed message attack. An 



SECTION 10. 2 KSA CRYFTOSYSTEM 

% 

unconcealed message is a message that erturypLs to itself (cannot be concealed). It has 
Been proven (hat them are always some messages that are encrypted to themselves. 
Eiud&hsp the encryption esponent normally is odd, there are some plaintexts that are 
en copied to themselves such as P = 0 and P = 1, Although there are more, if the 
encry exponent is Selected careful \y ¥ the number of these message is negligible. 
The en&^mting program can always check if Hit calculated ciphertexl is the same as 
the plainf^b^Eid reject the plaintext before submitting theciphertext. 

Attacks on ittiMkfodiiliis , * 

The main attacl^on J£SA n as discussed previously, is the factorial] on attack- The fac- 
torization attack ^tj he considered an attack on the low modulus. However, because we 
have already drscu^ri this attack, we will concentrate on another attack on the modu- 
lus the common mollis at Lack. 

Co i union Modulus Attack The common modulus attack can be launched if a com- 
munity uiyes a common f^dulus, n. For example, people in a community might let a 
trusted party select p and ^^calculate n and $(n) f and create a pair of exponents (tf E -, d s ) 
for each entity. Now assume ^3jcc needs to send a message to Bob. The eiphertext to 
Bob is C s mod n. Bob i^e&^jis private exponent, d% r to decrypt liis message, P = 
mod 7i. The problem is that tLv^ can also decrypt the message if she is a member of 
the community and has been assigifred a pair of exponents (<r E and £%) T as we learned in 
the section "Low Decryption Exponent Attack". Using her own exponents and d E } 3 
Eve can launch a probabilistic attaek^mactor n and find Bob's d$ r To thwart this type 
of attack, the modulus must not be sharedxfeach entity needs to calculate her or his own 
modulus, * q 

Attacks on IntptamviUaiiun 

Previous attacks were based on the underlyin^Vructure of RSA As Dan Roneh has 
shown, there arc several attacks on the implementation of RSA. We mention two of 
these attacks: the timing attack and the power atta(£) 

Tuning Attack Paul Kocher elegantly demonstrate^ a eiphertest-only arrack, called 
the timing attack. The attack is based on the fast-exponential algorithm discussed in 
Chapter 9. The algorithm uses Only squaring if the cdt^spondiiig bit in the private 
exponent d is 0; it uses both squaring and multiplication iF(-fl\^ corresponding bit is 1, In 
other words, the timing required to do each iteration is longarftthe corresponding bit is 
1 . TOtei toning difference allows Eve to hnd the value of bits ifi*£ one by one. 

Assume that Eve tia* intercepted a large number of ciphertexts, Cj to C m . Also 
assume that Eve has observed Emw long it takes for Bob to decrypt each ciphertext, Tj 
to T m . Eve, who knows haw long, it takes for the underlying hardware to calculate a 
multiplication operation h calculated r s to i mf where Jj is the time required to calculate 
die multiplication operation Result = Result X C t mod n. 

Eve can use Algorithm 10.5, which is a simplified version of the algorithm used in 
practice, to calculate all bits in d (d {j to d k _ { ). 

The algorithm sets d Q - 1 (because d should be odd) and calculates new vahies for 
Tj's (decryption time related to to d k .^). The algorithm then assumes the next bit is 1 



CHA FTER / 0 ASYAvAgntlC-KEY CRYPTOGRA PHY 
Algorithm 1 ft£ TSmmg attack on RSA 



Calculate J>j . , , 

[T, .^TJ^-rTt (^i-[/ T 

for y from 1 to ft - I > 

Recalcu I a tc [j , . . . ? | ^ 



H Because d is odd 



- . ij It Update Tj for the next bit 



[D, ...DJ<-[T| 
var <— variance {[D[ 

if (var > 0) dj *r 1 
[Tj-.TJ^-IT,. 



■ i! Recaku I are t t assuming the next bit k I 
■■ D^P- variance (tT, ,„ T M ]) 

TJ - rf^, . . . t,J (I Update Tj for (he next bit 



and finds some new values D L to D ffl bas^^uhis assumption. If the assumption is 
correct, each D,- is probably smaller than the <£rrespo*]diiig T>. However. the algorithm 
uses the variance (or other correlation criteria) (^consider all variations of D- and T 
If the difference in variance is positive, Ihe algorithm assumes that the next bit is t; 
otherwise, it assumes that the next bit is 0= The algotitKm then calculates the new T/s to 
be used for remaining bits. v 
There are two methods to thwart timing attach; "\ 

[. Add random delays to the exponentiations to inak^cb exponentiation take the 
same amount of time. ^O* 

2. Rivesr recommended blinding Tlte idea is to multiply ttiAdphertcxt by a random 
number before decryption. The procedure is as follows: \"0 

a. Select a secret random number r between I aud {n - 1 ). Q 

b. Calculate C s = C x mod n. 

u, Calculate Pj =C^ mod n. # 
d. Calculate P = P, x r" J mod n. Q 

Power A Itack The Po we r attack is simi 3 ar to the timing attack. KwheQ^wed that 
if Eve can precisely measure the power consumed during decryption, she catrtauneh a 
power attack based on I he principle discussed for timing attack. An iteration mvolvii^ 
multiplication and squaring consumes more power than an iteration that uses only 
squaring. The same kind of techniques used t<y prevent timing attacks can be used to 
thwart power attacks, 

Recom m und ati oils 

The following recommendations are based on theoretical and experimental results 
1, The number of bits for a should be at leas* 1024. This means that n should be 
around 2 m \ or 309 decimal dir-irs. 



SECTION 1 0. 2 RSA CR YPTOSYSTEM 3 1 1 



2. The lwo primes p and q must each be- at least 512 bits. This means (hat p and 7 
should he around 2 5S2 or 154 decimal dh'hs. 

he values of p and q should not he very close to -each other. 

'V<BoU] p - l and q- I should have at leasi one targe prime factor, 

% ^ie>ratso p/q should nor be close to a rational number with a small numerator or 
OC;yi ; iEnLnLiUu _ . 

6, The(^odulLjH fj must not be- shared. 

: of e should be 2 1 ^4- 1 or an integer close to this value, 
Tf the pY^te key d is leaked, Bob must immediately change ft as well as both e and 
d r It has b^M proven dial knowledge of n and one pair (e T d) can lead to the dis- 
covery 1 of ojhfef pairs of the same modulus. 

9. Messages mu^lje padded using OAEP, discussed later 

Optimal Asyniir^etnp Encryption Padding (OAEP) 

As we mentioned eadlfer^ short message in RSA makes the ciphcrtau vulnerable to 
short message 1 athickf. iVh^ been shown thai simply adding bogus data (padding) to 
the message might: make Efye^job harder, but with additional efforts she can still attack 
the ciphertexL The solution Apposed by the RSA group and some vendors is to apply a 
procedure called optimal as^metric encryption [jatldin^ (OAEP). Figure 10.9 



Figure 10.9 Optimal asvmmetric w(grfrptioti padding {OAEP) 



M; Fikldtrd message P: PLuJ'd^i (P, H F 2 ) G: Public functicm L>hii to m biO 

K Oras-d-Tnc: random Dumber C- CajptieriC^li H: Public ru.LLti.tii.ua i>-bi! in Jt-t>ii ) 



*: m biEs 



„ m bits 

cj>*— 



m hirt 



m blis 






0 



Message 



M 



m bits 



1 frr bits 



O 




{m + pi L5 



: im + k) bits 




Receiver 



4 

I A fTER W AS YMME'WC-KF.Y CP YPTOGRAPHY 

shows a Si s tuple vegiion of this procedure; the implementation may use a more sophisti- 
cated version. * r\ 

The vvbote idea ifi^gurc U) r 9 is that P = P] II where P L is the masked version 
of the padded message r Ytf1- P-s is sent to allow Bob to find the mask. 

Encryption The follow iYfpshows die cilery ption process: 

1 . A] ire pads the message (S^nake an /n-bil message, which we call M. 

2. Alice chooses a random ^S^ibcr r of k bits. Note that r is used only once and is 
then destroyed. 

3. Alice us«s a public oae-way mtptum, Ci, that takes an r-bit integer and creates an 
wz-bil integer [m is The size of Mjjjsid r < m). This is the mask. 



4. Alice applies die mask G(r) to crisis the first part of the plaintext P ( ^ M © <3(r). 
Pi h the masked message. ^ 

5. Alice creates the second pan of the paintgxt as P z = H(P S ) ffi r. The function His 
another public function that takes an i^oit input and creates an it-bit output. This 
function can be a cryptographic hashfurtffnbn (see Chapter 1 2) P P-> is used to allow 
Bob to recreate the mask after decryption, 

6. Aiice creates C = P £ = (P l I J P 2 f and sends C^iK Bob, 



Decryption The following shows the decryption 



1. Bob creates P = Q d = (P T || P 3 ), • > 

2. Bob first recreates the value of r using H(P ( ) 9 P 2 ^44(1^) © HlP^ ffi> = n 

3. Bob uses G(r) © P = G(r) © G(r) © M = M to restate the value of the padded 
message, Q 

4. After removing the padding from M, Bob finds the origuiCpkiessage^ 
Err®rin Transmission 

If there is even a jingle bit error during transmission. RSA will If the received 
ciphertext is different from what was sent, the receiver cannot determine the original 
plaintext. The plaintext calculated at the receiver site may be very different from the 
one sent by the sender. The transmission media must be made error- fn^Tfcjy adding 
error-detecting or error-correcting redundant bits to the ciphertext, r\ 

Example 10.8 

I lerc is a more realistic example. W& choose a 51 2-bit p and q, calculate n md iKn), then choose 
* and test for relative primenets. wli We then calculate Finally, we show the results of 
encryption an J decryption. The isvteger/j is m 1 59-digit number. 



i 1 3(B4S3135835tMS74l 91581 2S$ft l&mW3Wmtt$WWm 5 »22.i sv^ij w 6 
47^045 505647063 &49 I 257 1 601 30ii , ^S^gc^a^^24201 y 1 fiOS7flO«5742 
■' 1 096063 3 5421 992fifi6 1 W 



SECTION 10. 2 KSA CR YPTOS YSTIiM 3 J 3 



Tht integer q is a lGO-digit_nunnbe.f. 




■ 



! 2060 1 9 1 95723 1 44#> J 827679 42( H45G&9600 L 55592505463703 3936061 798321 7 



A 55249690O0359660Oi56 1 7 . 

■ 

'JTie (fi^ulus n=p>: t{, It has 300 digits. 

1 438&£<{p832635p&l 727687&S 1 5&6&325li^8 W930titi254 R.57641 i 1250 1624 1 4 
5523^1 829271 <Q507fl 56772727460(1971>SZ714 127 7304349&*500556347274566- j . 
62S 




7667 1X3 1 #3 1 0883 7342QP2344457095 3 



nap. 



ty.n) = - IKfl -M)l^ 309 digits. 




55261376: 



H5935Q4 1 739^6j/9r^a925098Ei46 15887523771 4573754541 
147S 8540832635^2768788 15968325 16846884930062548576411 1250 1 6241 4 
552339.1 8292? 1^250^(5675 10542336GS4929 1 67520344S262798K ] 17 5547*7657 
0 1 39234444057 tftf^^J 728 1 960982263610754672 1 \ 8646 ! 21 7 1, 359 1073 SfiBW 
61. 4O0SS35 170265377^26446734 1 06^4^57664128 

Bob chooses z = 35535 (the idea1^LK)65537) and tests it ic make .^iire il is relatively prime 
with ty{n). He then finds the inverse of i? i^wrJjlo tyf/fj and calls il d. 



■ 



58(X)83O2*fi0037763y 36093661 2»9^* I75946690620ft9650962l80422866l 113 
805 93 815283235 S 73 1 70628 69 10030^2^08590443384021 707298690876006 1 15 
3(>62C)2524^59KM448fW756H24(>9rt62V^1485fi1 71 3C^^)644m7704K33l34- 
Dl 085094738529564507 193677406 \ 1 975^655742423721 76 1767462077637 1 642 
076O0337O85333288532 1 44701*85955 13&OTE94831 



Ali^e wartLK 1cj Kend Lhc iftitfaiigu U TH]S TS A TTLST'.^w^iuh can l>c changa.3 h> a numeric 
value uiing the 00—26 encoding scheme (26 is ihc space ehara^ts^"). 

ft* 



P- 



1 90708 1 S2608 ES260026 1 904 1 8.1 9 



The ciphcrlest calcylated hy Alice is C - P*, which is 



47 5309 123646226S27206365 5506 10545 18094237 179607049 1716523239243054 ■ 
45296061*19932856661 78434 1 8 359 1 1 4 15 1 1 9741 1 25200568297979457 173*036 
' 1 0 127821 8B47S9274 1 5fift09t tiK00235O7 1 907 15277 ] H59 14975 1-38465 Hffiti3H 0 1 ■ 
148354 ] 0336 1 65739&46?%33ffi7637337637774656H0792S05Zl 148 L 41 844048 . 
141 8443OE12773O590O4692874243559 1-664621 08656 



4, 

H AFTER 10 ASYMMi^C KEY CRYPTOGRA PH Y 

■mvi ..-.si- =cci>v^t irirj ^kiin^u I'nfmi ihc. unhertcxt I 3 - 



, which h 



P = 



■ 



1 WTO S S260O26 1 904 1 819 

<\) 

The recovered plamEeK^i^Tl iiS IS A TEST" after decoding 

Applications 

Although RSA can be used to eiYc^-pt and decrypt actual messages it is very slow if the 
message is long, Ri>A F therefore, i^MefijI for short messages. In particular, we will see 
that RSA is used in digitat signntpfes and other cry piosy stems that often (teed to 
encrypt a smaEE message without haWi&access to a symmetric key. RSA is also used 
for authentication, as wc will see in iarsr^apters. 



10.3 RABIN CRYPTOSYS^M 

The Rabin cryptosystcm, devised by M. R^b^fjs a variation of the RSA cry prosy s- 
tem, RSA is based on the exponentiation congniipce; Rabin is based on quadratic con- 
gruence. The Rabin cry ptosy stern can be thought an RSA crypt osystem in which 
1,1 the value of e and d are fixed; tf = 2 and d - Ml An other words, the encryption is C ^ P 2 
(mod n) and the decryption is P = C ia (mod n), 

The public key frj the Rabin eryplosystem is n; the^prijate key is the tuple (/\ 
Everyone can encrypt a message using nL only Boh canwerypt the message using p 
and q. Decryption of the message is infeasible for live becQfee she does not know the 
vatues of p and Figure Ut 10 shows the encryption and dec^rion. 

: ^ 

Figure ID. 1(1 Encryption, decryption, and key generation in the tia&gfQlvpUjxvsian 

b 



A A \ 

, L„L A. 



Alsce 
3 



Publ i: 



I 



PlainlotE 




^ncrypiioiL in 



Bob 



Key £Efbcra±iQn 



o 



PtivaLc 



I 1 



Decryption, in 




4* 

SECTION 10 J RABM CRYPTOSYSTEM 315 

4 

^ We need to emphasise a point here. If Bob is using RSA, be can keep d and n and 
dfscrtrcj q r unci cJ(/0 after key genera tton. If Bob \x using Rabin cry ptosy stem, he 
nfd^ta keep /? and q. 

V 

Procure 

Key geneJfljflon, encryption, and decryption are described below, 
Key Genera 

Bob uses the sl^psLshown in Algorithm 10.6 to create, bis public key and private key, 

Algorithm 10.6 generation for Rabin crypiosyste 
Rabii]_Kt T > Genera^i 

Choo&c two large pdr^^p and ^ in the form 4£ + 3 and /; * <j. 
W 4-r;x^ y>* 

Pu,b]ic_kcy /z (A // lb announced publicly 

Private^key <- &} > // To be kept secret 

return Fublk_ktfy and Y*riva.i£*fa*fr 

i C 
0 

Although [be two primes, p and q H can bHjt the focm 4Jt p 1 or 4& + 3 ? the- decryption pro- 
cess becomes more difficult if the first forftiis used It is recornmended to use the second 
J'orrn, 4k -h 3, to make die decryption for ACice much easier. 

o 

Encryption 

Anyone can send a message to Bob using ht^iblic key. The encrypting process is 
shown in Algorithm 10.7. 

Algorithm 10.7 Encryption in Rabin, cryptosystem O 
Rabm.Encryplion (ji p P> // n is the public ke^P ig the eiptacrtext front 

i • 

C <- P*mod« !) C is the cipbertext O 



1 



relumC Q 



Although the plaintext P can be chosen from the set Z m we have defined the set 
to be in Z rt * to make the decryption easier. 

Encryption in the Rabin cryptosy stern is very simple. The operation needs only one- 
multipbcation T which can be done quickly, litis is beneficial when resources are limited. 
For example, smart cards have limited memory Eind need to use short CPU time. 



Desryptwn 

Bob can use Algorithm 10.8 to decrypt the received ciphertexr.. 



A SYM&tipRfC- KEY CR YPTOGRAPHY 



Algorithm 10 



Dec 



typiion in Rubin eryptosystem 



Rabin Decryptio 

i 



C) 



// C is Use cipheilcxl; p And <j arc private keys 



The algorithm for the Ct^f^sc remainder algorithm is i J ailed four lintel 

Pi ^— Chin^sc_Rcmaindcr tefS^J- p. q) 
P 2 ^— Chinese Remainder {&uh*+p, q) 
Pj i— Chinese_Remainder (a^w^n 0 
P^ 4^ Chpn<ssc_Rcmaindci" (fz 2n (?) 
return Pj, P 2 h P] > and 1^ < H 

— £ 



Several points should be emphasized b£r& The decryption is based on the solution 
of quadratic congruence, discussed in ChapfeH^ Because the received ciphert&xt is the 
square of the plaintext it is guaranteed that C Interests (quadratic residues) in Z n * r The 
Chinese remainder algorithm is used to lind ihe>(.mr square roots. 

r llie mosi important point about the Rabin sy^lM* is that it is not deterministic. The 
decry ption has four answers. It is up to the receiver «f the. message to choose one of the 
four as the final answer. However, in many situatiortf^Jic receiver can easily pick up 
the right answer. ^> 

The Rabin cryptnsyslcm is not deterministic: Decryp^oMrcrtates four m^iiaHy 

probable plaintexts. vS^_ 



Example 10.9 

Here is a very trivial example ro show the idea. 

1 . Bub selects p - 23 and y -7. Note that both arc congruent to 3 mod 4 

2. B^b calculates n - / j X q ~ 1 6 1 . • 

3. Bob aujiounues n publicly; he keeps p and q private. _ ^\ 

4. Ahcc wants to send the plaintext P = 24. Note I bat [61 and 24 are relatively 

She calculates C - 24* = *>3 mod 161, and sends the ciphert&xt 93 to B 
Rob natives 93 and calculates four values; 
■fli = #5^^ sntd 23 = I mud 23 
u 2 = -{93^*1 VJ ) mod 23 = 22 mod 2? 
b } = -^gi^ W) mod 7 _ 4 mod 7 



.1 




ie; 24 is in 



a. 

b. 

e, 

d. 



b 2 = -(93 (7 ^ m ) mod 7 = 3 ttkkL 7 



Hob lakes four possible answers, (a lr h t \ (a y , i^h (o 2 , fr^, and (a lr h 2 )- and Chinese 
remainder theorem to find four possible plaintexts: 116, 24, 137. and 45 {all of them rela- 
tively prime to 161), Note that only the second answer is Alice's plaintext, Bob needs io 
make a decision ha^ed un ihe siluation. Note also that alt four of these answers, when 
squared modulo n t g\ ve The ciphcrtcxl 93 sent by Alice, 



SECn()\ ! ft 4 t LGAMA CR YPTQSrXTEM 3 17 



• = *B rood 161 24 2 = £3 .mod 161 117? 93 mod' 161 45^3 modTftl 

rity of the Rabin System 

The^tfin system is secure as long as p and ane large numbers. The complexity of the 
Rabtnvtfptttn is at the same level as factoring a large number n into its two prime fac- 
tors p mvt^ iri other words, the Rabin system is as secure as RSA, 



10.4 EIsGAMAL CRYFTOS YSTK M 

Besides RS-A anffUabin. another public-key cryptosystein is ElGainal, named after its 
inventor, Tkher EJCamal. ElGamai is based on the discrete logarithm problem dis- 
eased Id Chapter 9 \ 

EIGflinal Cryptosy£tam 

Recali from Chapter 9 thari^s a very large prime, f^fe^t primitive root in the group 
G = <Z p * r x > and r is an integ^ then *? 2 = e/ mod p is easy to compute ux'mg the fast 
exponential algorithm (squares-mull ipty method), but given e 3 , andp, it is infea- 
sible to calculate r = log^e^ niodp (discrete logaritlmi problem). 

Procedure \ 

Figure 10J S shows key generation, enCrtptbii, and decryption in EjGamal. 




re 10,1 1 Key generation, encryp 



: — ft - 

n, encryption, arwd&crvpH 




ryption in ElGamut 



Bub 



Alice 

i 



4 J J 

Putiiic. trey: 

i 
I 
- 





1 

1 




T \ 


p — ► 


- f/ rood p 




Pi UIQtC^t 








Encryption 





CipTicsiext: fC|.CJ 



Key gcncnalirtiL 



StfXi^j {i>ri cniti vc too; ) 

3* 




^2 — ^pmod p 



Privalc key: *J 



■■■■ 

I 



P = [Ci Sf (C ; J V L ] mod j, I * H 



■DcciyptsOJi 



PJainlcsC 



Key Generation * 

Bob uses the steps shSjw*t Algorithm 10.9 to create his public: and private key; 
Algorithm Iti.y EIG amnf^ generation 

[ ® ■ 

Sclwi a Large prime p ^ 

Select d to heamcrnter of the g^G V- x >KUdlthat 1 ^ d ^P~ 2 
Select £ 3 to be a primitive roct in Tha^poiap G - < Z^', x > 

g*z mod J3 y^v 

PiihLic_kcy *-fef, e 2 . p) ^ ft To be announced publicly 
Privnicjcey <- d ^ # To be kepi secret 

return Putjlic_k«y and ftivatejcey v * 

i -X* 



Encryption 

Anyone can send a message to Bob usmg his pubii&k Hie encryption process is shown 
in Algorithm 10,10, If the fast exponential algoriOMJ&e Chapter 9) is used, encryption 
in the ElGamal crypiosystem can nlso be done in poiyngmijd time complexity. 

Algorithm 10.10 EiGaatai encryption * 

// P is th^CpLa 



Rlt Carnal .Encryption ( Sl , * 2 - F) /y p th *Pg^ xt ^ 

I Q 

SeEect a random i megcr riii the grt)up C = < 7 p * T X > N< ^r\ 

C 7 *- (P x */> mod jr Q and C 2 afe^iphertex^ 

return C] and ^) 



Decryption Q\ 
Bob can rj^c Algorithm 10. L I 10 decrypt the dp lie next message received. Q 



Algar i tkm 10,1 1 ElGanwl decryption 


9 


ElGamaljDccryptiGn ld y p, C L . C2J 

P -fr [C^C/)" 1 ] 
relum P 

J 


// and C 2 are the ciphertexts 


."V t* is the plaintext 



The bit-operatiyn complexity of encryption or diKiyption Ln ElGamal 

eryptosystmfl Is polynomial. 



■ 



■ 



SECTION 1 0. 4 ELGAMA J. CR YPTOSYSJEM 3 1 V 



Proof 



EiGama] decryption expression C 2 x {Cj ) ] car] \k verified to be 1* through 

si^jb^iiution: 




Exampj^fLW 

Here b a tJiYtaJ*exatnple: r Bob chooses 1 1 as /j. Tie- then chooses e } = 2, Note that 2 is a primitive 
root in2 n * (s^e Appendix J) K Bob then chooses = 3 and calculates ^ = t | d = S- So the public 
keys are (2, fc^and die private key Is. 3, Alice chooses; r = 4 and calculates C| and Q for the 
plaintext 7, 

Plaintext: 7 

C; - e t r mod 1 1 l&mrijll = 5 mnd II 
C 2 = (P Kc/Jmod 1 1 VfTX 4096} mod U 6 mod 11 
Ciphcrtejct: f 5, 6) O 

Bob receives lliccipherte^rtfTs sind 6) and calculates the pliitikixt 



MS 



Cipher!*^ [C 2 x (C j d ) ~ : | i»c4..1#= 6 > x{5 3 ) " 1 mod' 11 ~ 6 x 3 mod U ^ 7 mod 11 
Example. 1Q.II ^ q ^ 

Instead of using P cs . [Cj x (C L d ) " L | mod p fojphcrypiion, we can avoid the calculation of multi* 
phcauve i nverse and use P s= [C 2 mM^(see Format's litrte theorem in Chapter 9), In 

Example 1GJQ< we can calculate P n [6 x 5 [ 1 "^S] mod 11=7 mod 11. 

Analysts 

A very til* erecting point about the ElGamal cry pto&y stem is that Alice creates r and 
keeps it secret; Bob creates d and keeps it secre!. Tfie^puzzle of this cry ptosy stem can 
he sol ved as foi lows : v. ^ 

a, Alice sends C 2 - I e 2 r x P] mod jj - x P] mod pV3ft}C expression (t-, ^ nets as. a 
mask that hides the 'value of P. To find the value of P,*lrab must remove this mask, 

L Because modular arithmetic is being used, Bob needs Eo create a. replica of die 
mask and invert it (multiplicative inverse) to cancel the effect of the mask. 

c. Alice also sends C| - ^ to Bob, which is a part of Use mask. Bob needs to calcu- 
late Cj^ to make a replica of the mask because C^= iei f Y=(c ^j. In other words, 
after DbLiininj?. the mask r^ica. ttob inverts if. and multiplies Ehe resuh with C a in 
remove the mask. 

d. It might be $aid thai Bob helps Alice make the mask {e^) without revealing the 
value of d (d is already included in e 2 = Alice helps Bob make die mask (e^) 
without revealing the value of r (r is atready included in C [ - 



M PTCfl /0 ASYMMK%klC'K£¥ CRYPTOGRAPH Y 

Security of ElQamal 

Two attacks have tf^memiuTied for £he ElGamal crypt osy stem in the literature: 
attacks based on tow iwjulus and fcnown-piamtext attacks. 

i nw-Modulus Attacks y^C 

Ef the value ofp is not large ei^gh, Eve can use some efficient algorithms (see Chapter 9} 
to solve the discrete logarithm /j^pblem to find dor r.lfp is small, Eve can easily find 
dt* log cL ^ 2 mod p and store irtp^fcerypt any message sent to Bob.Thts can be done 
once and used as long as Bob usesvme s^me keys. Eve can also use the value of C| to find 
random number r used by AHec in^eh transmission r = log^Q mod p. Both of these 
cases emphasize that security of [he ^Jamat ciyptosystem depends on the In feasibility 

ith a very large modulus. Tt is recommended 



of solving 3 discrete logarithm probki 
thai p be at least i 024 bits (300 decimal 51^). 



A;* o^/i -Phtinie xtA Hack 



If Alice uses the same random exponent r, lo^ncrypt two plaintexts P and P\ Eve 
discovers P' if she knows P. Assume that C 2 = P mod p and C 2 = P'x {€-{) mod p, 

Eve finds F using Lhe following steps: \ 

L (e 2 r ) = CjxH mod/7 0 

2. C 2 X (e 2 f r l mod ;? • * 

It is recommended chat Alice use a fresh value of rlQhwart the known- plaintext 
attacks, 

Q_ 

For the ElCflm&l eryptosystem to b* secure^ must Ihj ;jI leststj^digiti; and r must be 

new i'or ch en e iphermenL 



Example 1&J2 Q 

Here is a more real Esiic example. Boh uses a random integer of 512 biis (the (deal 5$ 1024 bits). 
The integer p is A 155-digit number (the ideal is 300 drgiLs). Bob then chooses e u d and 

» lcu, *« * » sh ™» Bob announces * * as his public key od te. d « his 

privu&e key, V ' 

a 

\ 1 534859^7256 i 676244925313T170 1 433 !74f)4^Xi94532609834959S1 4346&19 
05&9B698£33*45932 J 29754^7W99*t4iiMg9^^7309aysi 5929993728(1 
' ii lfe596434735344(«>0S577 ■*■ ' 



H — ■ 1 



" 



973J8S41 



1-^- 

■■. ■. '• 



_ 



-■ V. 



332 



£5450707*1 56 3 Wl IZ3 1 33 1 77046 1 0 1^^3601508^ 85377031 5 8 

2066010072558707*55 



;T._. r t 



SECTION 10. 5 ELUFTfC CUR VB Ctt Yf'TOSYSTEMS 32 1 



• A Alice has the ptainiiijj* P = 3200 to send to Bob. She chooses r = 545131, calculate C 3 and 
C-i, and sends ?hcm lu Bob. 




■■ — — 




172235?S712fiSl 1 ;4i a^fiSfe&n&S 1 7iftfi5Si53il 8Md5^J7373.fi355l3^^ 
.7B85»0«6l9i:raHM-- HI 




*7 




i! 



•aw* 





tf?£566430295Q 



B:?li calculates 



infest P = C 2 x ((G$?J 8 mcxi p = 3200 nvod p. 













'Mitt" 'i~J*Y*V I'/rfW'U^' 


p = 
























Application (^) 

LIlGaiuaL can be used whenever ftfiA^aii be used. It is used for key exchange, authenti- 
cation, and encryption and decf^ptijfJj^of small messages. 

O 



.5 ELLIPTIC CUR\T^a^YPTOSYSTEMS 

Although RSA and EtGanial are secure as^rrOTcirie-kcy eryptosys terns, their secu- 
rity comes with a price, their large keys. Researchers have looked for alternatives 
that give the same level of security with srnarkrJcey sizes. One of these promising 
alternatives is (he elliptic curve cryjJtosystem((KCC). The system is based on the 
theory oE" elliptic curves. Although^ the deep involvement of this theory is beyond 
the scope of this book, this section first gives a v^rjj, simple introduction to three 
types of elliptic curves and then suggests a flavor or ^ryptosystem that uses some 
of these curves. 



Elliptic Curves over Real Numbers 

hlliptiL curves > which are not directly related to ellipses, are cubic equations in two 
variables that are similar to the equations used to calculate the length erf a curve in the 
circumference of an ellipse. The general equation for an elliptic curve is 



.1,1 jr | » « ■ v . ■ ■ ri: 




>TER I 0 AS YMMEm&KFY CR YPTOGRA FlIY 



Elliptic curves over real numbers use a special class of elliptic curves of the iorm 



lr the above equation^ 
elliptic curve; otherwise, the 
singular elliptic curve, the equ 

ML 



= jr 1 4- ax +■ & 



: 3 + 27b 2 £ 0 K the equation represents a nonsitLguJar 
[nation represented a singular elliptic curv*. In a non- 
jc 3 + ax-H i? = 0 has three distinct roots (real or com- 
a singular elliptic cun^he equation x" 5 + ox + b = 0 docs not have three 
distinct roots. 

Looking at the equation, we caffs^that the left-hand side has & degree of 2 while 
the ri^ht-hand side has a degree of ^CTljis means that a horizontal line can intersects 
the curve in three points if all roots are v ^l. However, a vertical line can intersects die 
curve at most in two points, tU 

Example 1 0. 13 

Figure \ 0-12 shows two elliptic curves with equation^* -j? -Ax and y 2 ^* 3 - U Berth are non- 
singiiLar, H«wever r tlie first has three reaE mots {x = -2,^ 0 K and Jc = £). but ihe second has only 

(5) 



one real root (x = 1 ) and two imaginary ones. 



Fjigti re id- 1 2 7Wo elliptic curves a reruf jfo kJ 





a. T^rec real roots 



b. On&iea] and two ima^nArj^yty 



A/t Abelian Group 

Let us define an abelian (commutative) group {see Chapter 4) using points on an elliptic 
Curve:. A tuple P = {x\, y\) represents a point on the curve if jt 1 and y ] are the coordinates 
of a point on the curve that satisfy the equation of the curve. For ejt&ropie t the points 
F = (2,0, 0.6), <2 = (OA 0.0} p R = (-2.0, 0.0), S = (1 0.0, 30S&), and T = (10.0, -30 .98) 
arc all points on the curve y 2 = x? - 4x. Note that each point is represented by two real 
numbers. Recast horn Chapter 4 that to create an abelian group wc need a set. an oper- 
ation on the seu and live properties that are satisfied by die operation. The group in this 
case is G - <E, +>. 



SECTFQN 10, 5 ELUFTiC CO'U VK ( 'ff YPTOSYSTEMS 323 

■ 




Set We define the scl as the points on the curve, where each point is a pair of real 
numbers. For example, the set E for the elliptic curve — 4x is shown as 

E= 1(2.0, 0.0), (0.0, 0.0), (-2.0, 0.0), (1O.0 T 30 98), t lO.0, -30.98), ...} 

ration The specific properties of a noflsingular elliptic curve allows us to define 
iiion operation on the points of the curve. However, we need to remember that 
the addition operation here is different from the operation that has been defined for 
integA^M The operation is the addition of two points on the curve to get another point on 
Ihe cun(S^ 

To find R wi Jiie curve, consider three cases as shown in Figure 10. 1 3. 



re 10,13 Tt\re*MiinF 



tIC OJPVi? 




v 



-P 



a. {R = P+Q> 



In the first case, the two points P = {xi^^Xnd Q = >^ ^ ave different Jc-Kwordinates 
and y-coordinat&s (X| ^ and ^ y^^S^hown in Figure 1Q. 13a. The line con- 
necting P and Q intercepts the curve at a p^Sit catted -PL R is die reflection of -R 
with respect to the jr-axis. The coordinates of the point R, x% and can be found 
by first finding the slope of the line, %, and thep^akulatiiig the values of and 
as shown below: v. ^ 



2. In the second case, (he two poinis overlap (R = P + P) t as shown in Figure 10.13b, 
In this. case, the slope of the line and the coordinates of Ihe point R can l>c found as 
shown below: 



AFTER m ASYMMWUC-KEY Cfi YF10GRAPHY 

3 

3. In the third ra&c, the two points are additive inverses of each other as shown in 
Figure 30.13c»lf the first point is P = (jc h > E ) f the second point hQ = (x h 
The lino connec(^jg the two points does not intercept the curve ai a third point 
Mathematicians s^Khat the intercepting point is at infinity; they define a point Q 
as lhe pcf/tf infrni^r zero point, which is the additive identity of the group. 

Properties of the Operatitffp The following are brief definitions of Lhe properties of 
the operation as discussed iif^apter 4: 

1, Closure-* It can he pnovew^bat adding two points, using the addition operation 
defined in the previous secftopt creates another point on the curve, 

2, Associativity: It can be piovctflhat (P + Q) + R = P + (Q + R), 

3, Commutativity: The group madHjcni the points on a non- singular elliptic curve is 
an abelkn group; it can be pnrveivffiat P + Q - Q + P. 

4, Existence of identity: The additive ity in this case is the zero point, O. In other 
words P = P + 0 = 0 + R 

5, Existence of inverse: Each point on the^rve has an inverse. The inverse of a point 
is its reflection with respect to the jr-axis* father words, the point P = (j^. v 3 ) and 
Q = fjc lt -vj) are inverses of each other, wh^k means that P + Q = O. Note that the 
identity element is the inverse of itself. 

A Group and a Field 

Note that the previous discussion refers to two algcbrafcy^ctuics: a group and a field. 
The group defines the set of the points on the el liptic curvWndthe addition operation on 
the points. The field defines the addition, subtraction, mulflt^ication, and division using 
operations on real numbers that are needed to find the additioi(o)F the points in the group 

Elliptic Curves over G¥{p) ^\ 

Our previous elliptic curve group used a real field for caleuhsdonsNpolved in adding 
points. Cryptography requires modular arithmetic. We have defined^* lliptic curve 
group with an addition operation, hut the operation on the coordinates^ the point are 
over the GT{p) field with p > 3. In modular aridimetie, the points on thi» curve do not 
inake nice graphs as seen in the previous figures, but the concept is the We use 

the same addition operation with the calculation done in modulo p. We call ^result- 

case ranges 

from 0 to/?, normally not all points are oo the curve. 



iug elliptic curve E. fJ (a,h), where p defines the modulus and a and b are the cgplftcieart 
of the equation y 2 = + ax -h b. Note that although the value of x in thh cas 



Finding an Inverse 

The inverse of a point (x< y) is (x, -y) h where -y is the additive inverse of y For example, 
if p = 13, the inverse of (4, 2) is (4, 11)- 

Finding Faints on the Curve 

Algorithm 10.12 shows die pseudocode for finding the points on the curve EJa, h). 



SECTION 10.5 ELLIPTIC CURVE CR YPTQSYSTEMS 325 



goritkm 10.12 Pseudocode for finding painis on an elliptic curve 



*\ «IIipticCnrvc_poin(s ii>, u, b) 

nAt (jt + or + i>) mod p 

is a perfect square in ZJ output (x, J^) (j, - jw) 

J ^ 



//pis die modulus 



// w is 



Example 10.14 

D^f[nc an elliptic curve^( 1 , 1), The equation is >^ = x 3 + x + 1 and the calculation is done 
modulo 13. Points on the cu^e can be found as shown in Figure. 1014 

. 

Figure 10. 14 Paints ™ mi etiif>tkr m 




(4, 2) 



f5, I) 



(7.0) 



ft. i) 



■ — ■ 



(4; II) 



(5; 12) 



r-dbu 



(U.llj 




Points 



it 



j — i fr x # ■ — i ■ i i — ^ 



0 1 2 3 4 5 ~6 7 $ ? 10 II 12 

Graph 

Q. 



Note the following: <p 

a. Some, values of y 2 do not have a struarc root in modulo 1 3 arithmetic These are not 
points on Ms elliptic eurvc. For example, [he point* with j = 2>x = 3, j = 6 h and j - 9 aie 
not on the curve. 

b. Each poin l defined for the curve has an invert The inverses aie I istcd as pairs. Hote thai 
(7. 0) is the inverse of ilsclf. 

e: Note thai for a pair of inverse points, the y vducs are additive inverses of each other 
in Z p , For example, 4 and 9 are additive inverses in Z x y So we ean say that if 4 is y, then 
9 is -v. 

ri. The inverses are on [he same vertical ]incs. 




CIIA PTER W ASYMMETRIC-KEY CRYITOGRA PHY 



4* 

rotnts 



Adding 7W 

We use the eliipl^jyurvc group defined earlier but emulations are done in GF(/>). 
Instead of subiiucti^p^nd division, we use additive and multiplicative inverses. 

Example m 15 

Let ns add two pdials in E^bImIc 10.14, K = P + Q F where P (4, 2) and Q = (10. 6). 

^mod 13=4: 
l$=u mod ll 

c. y = [5 (4 -I ])- 2] mod u)=2 mod 13. 

d. R = ( I J . 2 I, Vvr.i:- ! /! j> M : : Li'.L CUI Vfc ill H.**' El I [)'■(* I {). I ■!. 

Multiplying n Point by a Constant 

In arithmetic, multipl y sng a number b)rti\onsEanl A means adding the number to itself k 



a. l = (6-2)x(10-^mod 13=4x6 _1 mod 13 ^5 mod 13. 

b. j: = (5*-4-IGlmo(l fi^JI mod 13. 



times. The situation here is the same, Multiplying a point P on an elliptic curve by a 
constant k means adding the poinl P to ihffik times. For example, in (U 1) + if the 



point ( l p 4} i$ multiplied by 4 r the result isxhe. point (5 T 1). If the point (S, 1) is multi- 
plied by 3, the result is the point (10, 7). (\ 

Elliptic Curves over GF{2") ^ 

Calculation in the elliptic curve group can be defiodS over the GF(2 n ) fieJd, Recall 
From Chapter 4 that elemenES of the set in this field are riVbit words thaL can be inter- 
preted as polynomials with coefficient in GF(2). AdeMpn and multiplication on the 
element are the same as addition and multiplication oiL^olynosiiials. To define an 
elliptic curve over GF(2 n ). one needs to change the cy^tfi^equation. The common 
equation is ^\ 



y 2 + ^y _ 



where f> # 0. Note that the value of x r y, a 3 and b are polynomia^j^pneseatlng n-bit 
words. ^ 

Finduig Inverses Q\ 
UV = {x , y) j then -P = U, x + y ). O 

Finding Points tm the Curve r 

We can write an algorithm to find the points on the curve using generators for polynu- 
mials discussed in Chapter 7, This algorithm is left as an exercise. Following is a very 
trivial example. 

Example 10.16 

We choose GF(2 3 ) with elements (0, 1, g, g 2 , g* t & 5 < £ G } using th& irreducible polynomial of 
fix) = + x +- 1, which means mat g 3 + g + I = 0 or £- = £ ■+ 1 . Other p^crs of ,£ can be calcu- 
lated uceurdingly. The following sho^s Lhe values of (he # h s. 



SECTION 10 J ELLIPTIC CURVE CRYPTOSYZTEMS 327 



0 


OOO 


3 


on 


1 


001 




no 




010 




in 




ion 




10J 



% 

Using th^dhipric curve y 2 + = + + 1, wlUi □ = ^ and b = 1, we can find the pcincs on 
this curve* Q^hown in Figure 10.15. 

ft . 

Figure ]0.15 v ^Wj OA ^ d/r>i/c tlrve over GF(F} 

^ ^— 



%0 


(P. 1) 




Oft**)' 










s) 





Points 



I 4 

1 

0 



i i i i i 

■i — \ - - * i , -i - 

■ hiii' 
■It- — i — — — — jft b gi " ^" ■ S - 
i ■ ■ i i i i 

.!_, _ j . _ ± . „ |. _ _ i_ . ^_ . j . 



r p 

• I I 

-!---« | r- 



* H - --d . 

I I ■ 



--:--:--#- 
■ i i i i i 

0 L S £ ; J? J JT* ' * 



Adding f l*wo Paints *^ 

The rules, for adding points in GS$£j tightly different from the rules for GFQ?}. 

1 . If P = >']) h Q = (* 2 * ?2>, Q * -P0id Q R then R = (* 3l 3$ = p + Q can be 
found as 

2. ] f Q - R then R^ P + F (or R = 2P) can be foi^as 



- 41.. . 



.>■: 



ft 




Example 10 J 7 

I-et us Jind R = P + Q, where p = (0, 1) aid Q = (g 2 , I). We have 1 = 0 and R ^ fe 5 , ^ 
Example TO. 18 

t^L us find R = 2P, whcie P = £^ 2 , I ). Wc have X- ^ 2 + Vg* = g l + g- = g + 1 and ft = |% 
Multiplying a f*omt by a Constant 

Tn multiply a point by a constant, the- points musi he added continuously with attention 
to the rule for R = 2P. 



CNAFTEfl 10 A SY^g&TRlV-KEY CRYPTOGRA PHY 

h 

Elliptic CuJ^t Cryptography Simulating ElGamal 

Several inediods*h£u<e been used to encrypt and decrypt using elliptic curves. The com- 
mon one is to simofttgxhe ElGamal cry ptosy stem us nig an elliptic curve over GF(p) or 
GFf2 fC ) 1 as .shown injure 10.16. 

- — %■ 

Figure 10*16 ElGvmxfwpfrtvjystem u$in% ike elliptic cwrve 

© 



OpCmiOSLy siM^fea sd-ClniOEl Slid ItiullipJiClllJOn 
arc aver ^rr elliptic curve £rrnsp. 

. ■ 



Bob 

a. 



t -t 

_i i J 



+ 



tjp 

% 



Key generation 




— — 





Decryption 



Generating Public and Private Keys 

1 _ Bob chooses E{n n 6} with an elliptic curve over G¥(p) or^F(2 ri ). 

2. Bob chooses a point on the curve, ^(x^ y |), 

3, Bob chooses an integer d, Q 

4, Bob calculates ^(Jt^ y 3 ) b P y j). Note thai multiplicaij^tff^ere means mul- 
tiple addition of points as defined before. 

5. Bob announces E(a a £) n £ ^jq, y s ), and ^.fe 3?0 as his public key; bs-teeps J as his 
private key. ^ 

Encryption \K 

Atice selects R a point on the curve, as her p Sainted F, She then calculates a pail of 
points on the text as eipbertex.t$: 



! 



- ■ ■ : 




The reader may wonder how an arbitrary plaintext cjm be n point on the elliptic 
curve. This is one of the challenging issues in the use of the euiptic curve for simulation. 
Alice needs to use an algorithm to find a one-it>onc correspondence between symbols 
(or a block of text) and the points on the curve. 



th6'iBvers&. 



>• SECTION IQ.5 EfJJPTIC CURVE CRYPTOSYSTEMS J2S 

\ 

Decrypti&n 

Bo^^fler receiving C[ and C2, cakufases P, the plaintext using the E'ol lowing formula. 

> OE* =. ~ (if >c C|_l The nunus slgnjiiffic [Hearts addiug with 1 

We cajrgFcive that the P calculated by Bob is she same as that intended by Alice, as 
shown bclnQO - 

ft) 

P, C 1+ Cj P ^Nmd *^ are all points on. the curve. Note that the result of adding two 
mvcrse points on thercurve is the zen* point* 

Here is & very triml exHmplVofjcptiphcrmGrtt using an elliptic curve over GF(p). 

1. Beb selects £^(2, 3) as lr(^ elliptic curve over QF(p), 

2. Bob selects e \ = (2. 22) and^4, 

3 . Bub calculates e £ = { 1 3 T 45} h u^Sre^ = d x <? t - 
4 r Bob publicly announces she tupl^E, e^* rj- 

5. Alice wwrts to send the plainlc*l P = (24, 2o) to Bub. She .selects r = 2, 
G. Alice finds the poim C] — (35 b J) h wlKjecfC] - r x e | , 

7. Alice finds the point Cj - (2i F 44), wndx Gq =P + rx^ 

8. Bob receives Cj and C 2 . He uses 2 x C]x35, 1) to get (23 „ 25). 

9. Bob i nvens the poi HE (23 n 25 } to get the p&uai (23 „ 42). 

10, Bob adds (23 h 42) wiOi C2- (21. 44) lo gc*yl£p&rigma] plaintext P = (24. 26), 

Cornparisun 

The following shows a quick comparison of the ^ri^inal EtGarnal algorithm with its 
simulation using the elliptic curve, 

a. The original algorithm uses a multiplicative grotap; the simulation uses an elliptic 
group. • 

b. The Lv/o exponeuLs in the original algorithm are Wifnbers in the multiplicative 
group; the two multipliers in the simulation are pomts(SUhe- elliptic curve. 

c. The private key in each algorithm is an integer. <0 

J, The secrd numbers chosen by Alice in each algorithm arc integers. 

e. The esponcni iaLion in the original algorithm h repiaced by the multiplication of a 
point by a constant, 

f. The multiplication id the original algorithm is replaced by addition of points. 

g. The inverse in l he original algorithm is the multiplicative inverse in Lhe multiplicative 
groupL the inverse in the simulation is Hie additive inverse of a point on the curve, 

h. CaJculalion is usually easier in the elliptic curve because multiplication is simpler 
than exponentiation, addition, is simpler than multiplication, and finding the 
inverse is much simpler In the elliptic curve group than in a multiplicative group. 



•4 

Wi PTER JO ASYMM&RIC-KEY CRYPTOGRAPH Y 

* i 

Security of ECC* 

To decrypt the meJ^e> Eve needs to find the value of r or ijk 

a_ If Eve knows r> ^ can use P = C2 - (f x *j) lo find Cba point P related to the plain- 
text. But to find r^e needs to solve the equation Cj =rxt,. This mean*, given 
two points on She c^rftc, C ( and e h Eve must find the multiplier that creates C 3 
starting from e 3 . ThiSjTjtferred to as the elliptic curve logarithm problem, and 
the only method avdl^b > io solve it is the Polard rho algorithm, which is, in feasi- 
ble It r is large, arid p in\jRp) Otic n in GF(2 fl ) is large. 

b. Tf Eve knows d> she cars u$eF = C 2 -(dx Cj) to find the point F related to the 
plaintext. Because &% = d this is the same type of problem. Eve knows the 
value of e j and iy F she needs bej^nd the multiplier J. 

lu^3!E\thfn problem. 

n 



Modulus Size 



6 



Eor the same level of security (computationaWfFort), the modulus, n, can be smaller in 
ECC than in RSA. For example, ECC over rej&F(2 J1 ) with n of 160 hits can provide 
the same level of securitv as RS A with ;r of 10M bits. 

10.6 RECOMMENDED READER 

The following books and websites provide more detail^ffSout subjects discussed in this 
diapter. The kerns enclosed in brackets refer to the referential at the end of the book. 

Rooks 

The RSA cry ptosy stem is discussed in LSu06], [Sta06"L [PHsdj^uifcl, [TW06L and 
[Mao04"|. The Rabin and ElGamaJ cryplosv stems are discussel*^3ti061 and [Mao04] P 
Elliptic curve cryptography is discussed m [StiQfi], [Eng99] T and [^991- 

WebSites 

The following websites give more information about topies. discussed^nj^is 
www,dic,uiim .cditf^l y^c#&f/^^ 

w w w.batun!icifi^3 Jt/n Bcrs/par^^LTO^/HS A.-] 
fcUp:/ytn,wiJdped^4>rg^^ 

- ww^purdire.edb/hD]^ , -. 




SECTION 10,8 SUMMARY 331 



r 



4^7 KEY Hi RMS 



em 



aSytrunetrjc-key cryptography 
blin«b# 
broadcast attack 
com uioSnipdu ius a I rack 

cycling atta*^ 
ElGamal CTT^SWstuiiL 

ic curve uryfUosvstem 
ftic curve logarK^ 
function 

iuvertible function 

knapsack cryptosystem \^ 

low decryption exponent attjjpl 

low encryption exponent attac^x* 

nrtnRingular elliptic curve ^ 

one-way function (OWF) 

optimal asymmetric encryption padding » 
(OARP) vX 

. yL 



power attack 

private key 

public key 

Rabin cryptosystenii 

random fault attack 

related message attack 

revoied decryption exponent attack 

RSA (RivesL, Shamir, AdlemEm) 
cryptosystem 

short message attack 

s-bort pad attack 

singular elliptic curve 

superincreasing tuple 

symmetric-key cryptography 

liming attack 

trapdoor 

trapdoor one-way function (TQWF) 
unconcealed message attack 



10.8 

□ 



SUMMARY 



□ 



□ 



□ 



o 

There are two ways to achieve secrecy: syn^tric-key cryptography and asymmetrie- 
kcy cryptography, Tbeye two will exist in ott&tcl and complement each odicr; the 
advantages of one can compensate for the disajivaiitages of the other. 

The conceptual differences between the two sysfp&tis are based on how they keep a 
5ccrEt_ In symmetric-key cryptography, the secret needs to be shared between two 
entities; in symmetric-key cryptography, the secrA is personal (unshared). 

Symmetric-key cryptography is based on subsUfrhoiCand permutauon of symbols; 
asymmetric-key cryptography is based on applying (mathematics] functions to 
numbers, 

A symmetric-key cryptography uses two separate keys: one private and one public. 
Encryption and decryption can be thought of as locking and unlocking padlocks 
with keys. The pjsdiock that ls locked with a pmblic key can be unl ocked onty with 
the corresponding pri vate key. * 

In asymmetric-key cryptography, the burden of providing security is mostly on the 
shoulder of the receiver (Bob) n who needs to create Lwo keys: one private and one 
public. Bob is responsible for distributing the private key to the community. This 
can be done through a public-key distribution channeL 




CHA PTER 1 0 ASYMmpTRlC-KEY CR YFTOGRA PtIY 

J Unlike m^mmctric-kfiy cryptography h in asymmetric-key cryptography plaintexts 
and eiphert&ts are Heated as integers, The message must he encoded as an integer 
(or a set of iMfcWs) before encryption; the integer (or the set of integers) must 
be decoded intfyhe message after decryption., Asymmetric-key Cryptography is 
normally used tcf^crypt or decrypt small message*, such as a cipher key for 
symmetric- key cryf^^raphy, 

□ The main idea be!nnd(1S^mmetric-key cryptography is the concept of the trapdoor 
one-way function (TOwJSl' which is a function such that _/~ is easy to compute, but 
f~ v iscftmpuEationally immsible unless a trapdoor is used. 

□ A brilliant idea of public f?e£ cryptography came from Merkle and Hcllman in 
their knapsack cryptosysteinKTlw are told which elements, from a predefined set 
of numbers^ aie in a knspsack^c can easily calculatcthe sum of the numbers; if 
we are told the sum, it is difficult say which elements are ill the knapsack unless 
the knapsack is filled with element^SoEn asupcrincreasing seL 

□ The most common public-key algorism is the RSA cry ptosy stem. RSA uses two 
exponents, ^ and where e is public %M d is private. Alice uses C = P* mod n to 
create eiphertcxt C from plaintext P; Bob<Ws P = ty mod n to retrieve the plain- 
text sen t by Alice, 

□ RSA uses two algebraic structures: a ring andra group. Encryption and decryption 
are dene using the commutative ring R - <2 flr V; x > with two arithmetic operations: 
addition and multiplication. RSA uses, a multiplicative group G = <Z ft *> x > fur 



generation. \) 

□ No devastating attacks have yet been discovered Vn^RS A. Several attacks have 
been predicted based on factorization, chosen- dp rT©fcxi, decryption exponent, 
encryption exponent, plaintext I. modulus, and implemei^)|orL 

□ The Rabin cry ptosy stem is a variation of the RSA cryptd^kem. RSA is based on 
the exponentiation congruence; Rabin is based on quad^fcf^fcongruenee. We can 
ibink of Rabin as the RSA in which the value of tf = 2 antkak^ 1/2, The Rabin 
cry ptosy stem is secum as long as p and q are large numbers. The^tirplexiiy of the 
Rabin cry ptosy stem is at the same level as factoring a large number rt into its two 
prime factors p and q. • 

□ The F [Carnal cryptosysteni is based on the discrete logarithm protQh. EIGamaJ 
uses die idea of pnmitive roots in Z p *. ' Encryption and decryption in ©Jarnal use 
the group G = <2 p *> x>. The public key is two exponents e { and e 2 ;^^ private 
key is an integer d. ITic security of ElGamal is based on die mfcasibility 6f solving 
discrete logarithm problems. However, an attack based on iow modulus and a 
known-plaintext attack have been mentioned in the literature, 

□ Another cry ptosy stem discussed in this chapter is based on elliptic curves. 
Elliptic curves are cubic equations in two variables. Elliptic curves over real 
numbers use a special class of elliptic curves y 1 = j? + ax + h where 4a 1 + Z7b z * 0. 
An abclian group has been defined over the elliptic curve with an addition 
operation that shows bow two points on the curve can be added to get another 
point on the curve. 



SECI'ION W.9 PRACTICE SET 333 



P Elliptic carve cryptography (HCC) use, 1 ; two algebraic structures, am abelian group 
and a field. The field can be the no si finite field of real numbers. GT(/j) and 
V^>GF(2^) r We have been shown how the ElGamal cry ptosy stem can be simulated 
yAikirtg elliptic curves over finite fields. The security of the ECC depends on the 
tic curve logarithm problem, a solution which is infeasible if the modulus 



1. Distinguish t^wrcn symmetric-key and asymmetric-key cry ptosy stems, 

2. Distinguish between public and private keys in fin asymmetric -key cry ptosy stern. 
Compare atsd cfmi^t the keys in symmetric-key and asymmetric-key cryptosy stems . 

j r Define a trapdoor on^v>ay junction and explain i fcs use i n asymmetric-key cryptography. 

4. Bnefl y ex.p] ai n the i ehind the knapsack cryptosystemr 

a. What is the one^way^frfnetion in this system? 

b. What is the trapdoor it^is system? 

c. Define the public and private keys in this system. 

d. Describe the security of th^^ystem. 

5. Briefly explain the idea behind ^jjs^kSA cryptosy stem, 
a_ What is the one-way function i^rtjiis system? 

b. What h the trapdoor in this syste^ET^ 

c. Define the public and private keys ^fiis system. ■ 

d. Describe the security of this system^^^ 

■6, Briefly explain the idea behind the Rabin ^ryptosystcm. 
a. What is the one-way function in this syste^? 
k What es the trapdoor in this system? 

c. Define the public and private keys in this syst; 

d. Describe the security of this system. 
7, Briefly explain die idea behind the OGamal crypEo^^em. 

a. What is the one-way function in this system? 

b. What is the trapdoor in this system? 

c. Define I he public and private keys in this system, 

d. Describe the security c-i this system. 
B, Briefly ex p bin the idea k-innd bCC. 

a. What is tlie One-way function in this system? 

b. What is the trapdoor in this system? 

c. Define the public and private keys in this system. 

d. Describe the security of this system. 




<A PTF.R JO A SYMMSyhC-KSY CRYFlOGRA Pfj Y 

9. Dcline elliptic # curves and explain (heir applications in cryptography. , - 
I U. Define the oper^n used in die abdian group made of points on an elliptic curve. 

V 

Exercises n£ 

I % Given the mprincn&tiQtopk fr = [7 J 1. 23, 43, 87, 173, 357), r= 4 1 , and modulus 
* = I001 T encrypt and d^pt ihc teller "a" using the knapsack cryptosysteni. Use 
[765 1 2341 sis the pcrmu^ripxi tabic. 

12. In RSA: 

a. Given n = 221 and « = 5, Enidy? 

b. Given n =3931 and =17 H fiSj^L 

c. Given p=\9,q = 23, ami * = 0*d n, and ± 

13. To understand the security of the Algorithm, find J if vou know thai ^=17 
and /t 1 87* v 

14. In RSA, given n and calculate a^Sij^ 

15. In RSA, given e= 13 and * = 100 C\ 

a. encrypt the message "HOW ARE YOU" vt^mg 00 to 25 for letters A to Z and 26 
for the space. Use different blocks to makd(p< n. 

1 6. In RSA, given n = 12091 and f = 1% Encrypt the^sage "TIMS 15 TOUGH" using 

the 00 to 26 encoding scheme. Decrypt the cipherer to/ind the original message, 
17, Id RSA: 

a. Why can't Bob choose I as the public key e? 

b. What is the problem in choosing. 2 as the public key e(T) 

IB. Alice uses Bob's RSA public key fr= I7,u=l95 1 9) lo se<fl)^ f bur-character mes- 
sage to Bob using thefA^0 1 B^l 1K ..Z*425) enco^gffiheirie and encrypt- 
ing each character separately, Eve intercepts Che eiphertexUW5 0 2968 17863) 
and decrypts the message without factoring the modulus. I^Md4he plaintext and 
ex pi jim why Eve could easil y break the c iphertex L O 

19, Alice uses Bob's RSA public key |g = 7 P n = 143) to send the plaintext P ^ 8 
encrypted as cipherLext C - 57. Show how Eve can use the chcs«tn-ciphertext 
attack if she has access to Bob's computer to find the plaintext. r\ 

20. Alice uses Bob s RSA public key (c ^ 3, n = 35) and sends the cipher*?*} 22 to 
Bob. Show how Eve can find the plaintext using the cycling attack. vO, 

2 3 . Suggest how Alice can prevent a related message attack on RSA. < 

22. Using the Rabin cry ptosysteni with p = 47 and q = } 1 : 

a. Encrypt P = 17 to find the ciphertext, 

b. Use the Chinese remainder theorem to lind four possible plaintexts, 

23. En El Carnal, given she prime p — 3 1 : 

a. Choose an appropriate $j and then calculate 

b. Encrypt the message TiHLLtT: use 00 to 25 for encoding. Use different blocks 
to make P < 

c. Decrypt the ciphertext to obtain the plaintext, 



k 33, 

■A In EilQamal, wUnl lm--ycns if C, and C 2 aru swapped dun-sii ih» nv.nsi[ion? 
25JA^unrie that Alice uses Bob's ElGainaf public key (e 3 = 2 and e 2 = 8) to send two 
v ^sage£ P - 17 and I y = 37 using the same random integer r ~ 9. Eve intercepts 

iH^iuJiertext and somehow she finds die value of P = 1 7. Show bow Eve can use a 

kncv^pEaintext attack to find the value of F* 

26, In thc^ejipLic curve E(l, 2) over die GF(1 1 ) field: 
a- Fuid^^ equation of the curve. 

b, l ; ind aVJ^pints on the curve and make a figure similar to Figure. 10J4. 
e. Generate^iblie and private keys for Bob, 

d. Choose a pptol on the curve as a plaintext for Alice. 

e. Create eiphj^t corresponding to the plaintext in part d for Alice, 

f. Decrypt the cip^text for Bob to find the plaintext sent by Alice. 

27, In the elliptic curve E^, 1 ) over the GF(2 4 ) field: 

a. Find die equation o^flje curve. 

b. Find all points on the obrve and make a figure similar to Figure 10. 15, 

c. Generate public and pnWc keys for Bob. 

d. Choose a point on the curias a plaintext for Alice. 

e. Create eiphertext corresponding to the plaintext in part d for Alice. 

f. Decrypt die eiphertext for Bohi^ find the plaintext sent by Alice. 
28 * Us ing the knapsack cry ptosy stenrr^ \ 

a . Wvi [e an ;j Igori [ h m for enc ryj:i L i ( 

b* Write an algorithm for decry ptionS-^- 

29. InRSA: C\ 

a . Wri te an a Igo n dim lor enc ryption using j>A H P, 
h Write an algorithm for decryption usin) 

30. Write an algorithm for a cycling attack oiiRSjVv 

31. Write an algorithm to add two points on an elnjttic curve over GF(p). 

32. Write an algorithm to add two points on an elliptic curve over GF^"), 

o 





In Chapter 1, we saw that cryptography provided three techniques symmetric- key 
dphers, asymmetric^vxi pliers, and hashing. Pan Three discusses cry ptographic 
hash tune Lions and th^Jr applications, This part also explores other issues related 
to topics discussed in P^rts One and Two, such as key management. Chapter J ] 
discusses the general idea^rKbind message integrity and message authentication. 
Chapter 12 explores several cmrtographic hash functions. Chapter 13 discusses digi tal 
signatures. Chapter 14 shuwsSne ideas and methods of entity authentication. Finally p 
Chapter 15 discusses key mantf^em^nl used for symmetric-key and as yen metric-key 
cryptography, \) 

X 

Chapter 11: Message Tntegnt^Qnd Message Authentication 

Chapter 1 1 discusses general ideas relative 
to create a message digest from a message 
message. The chapter then shows how simp 
ucate tile message. 



cryptographic hash Junctions Lhat are used 
Sage digests guarantee the integrity of the 
ssage digests can be modified to authyn- 

Chapter 12: Cryptographic Hash Functions 

Chapter 12 investigates several standard crypt o^raphCcVi ash function belonging to two 
hroad categories: those with a compression function md@rrom scratch and those with a 
block cipher as the compression function, Tfee chapter liiC?Jcseribes one hash function 
liom each category, SH A-5 ) 2 and Whirlpool. 




Chapter 13: Digital Signature* 

Chapter 13 discusses digital, signatures. The chapter intmduees several digiud signature 
schemes, including TCSA, EIGamal. Scbnorr. DSS, and elliptic curve. The chapter also 
investigates some attacks on the above schemes and how they can be prevented. 



Chapter 14: Entity Authentication 

Chapter 14 first dMn£*tishes between message authentication and entity authentication. 
The chapter then di&^tfses some methods of entity authentication, including the use of a 
passwords challenge^t^^DJise methods, and zero-knowledge protocols. The chapter also 
includes some discussioi^5j biometries. 

Chapter 15: Key Man^j^ment 

Chapter 15 first explains differt£rjj)appfoaches to key managements including the use of a 
a kcy-disiributicsn center (KDC)^ehifi cation authorities (CAs). and publiokcy inf'rti' 
structure (PK1)- Thiii chapter nh(jw^ftj)w symmcLrit>kcy and ftHymnncoic-key cryptogra- 
phy can complement each oilier to stffW some problems such as key management. 

<s> 

o 

% - 





ge 

essage Authentication 

fhis chapter has spiral objectives: 

□ To define messa^integrity 

□ To define messag^a^cntication 

□ To define criteria fc£ cryptographic hash function 

□ To define Llie Random Oracle Mode] and iis role in evaluating the 
security of cryptograptJeMsh functions 

□ Tu distinguish between arrMPC and a MAC 

□ To discuss some common MACs 

This is the first of three chapters^p^yoied to message integrity, message 
authentication, and entity authentic^ton. This chapter discusses general 
ideas related to cryptographic hasly^^ctujTtN tfiat me used to create a 
message digest from a message, Mess^jgj digests guarantee the integrity 
of the message. We then discuss how ^Hfrple message digests can be 
modified to authenticate the message. The standard cryptography crypto- 
graphic hash functions arc developed in Cha^tjr 12. 

o, 





11.1 MESSAGE INTEGRITY 

The cryptography systems that we have studied so far provide secrecy, or confidentiality, 
but not iniegrity. However, there are occasions where we may not even need secrecy hut 
instead must have integrity, For example. Alice may write a will to distribute her estate 
upon her death, The will does not need to be encrypted. After her death > anyone can 
examine the will. The huegriiy of the will, however T needs to he preserved. Alice does 
not warn the contents of the will to be changed. 



MATTER 1 1 MESSAGi^EtmTY AND MESSAGE AUTHENTICATION 



Document antl Fingerprint 

One way to pfeservi^a^nicgrity of a document is through the- use of ykjingerprint. If Alice 
needs to be sure that the contents of her document will not be changed, she can put her 
fingerprint at the boLiRpiof the document. Eye cannoE modify the contents of this 
document or create a f alsc^pfcumeni because she cannot forge Alice's fingerprint To ensure 
i hat the documem has not b^S^ changed, Alice T s fingerprint On the document can be com- 
pared to Alices fingerprint on ftfii If iliey arc not the same, [he document is not from Alice. 

<> 

Message and Message Digest* 

The electronic equivalent of the ffo^Xj merit and Jingerprint pair is [he message and 
tf^eii piiir: To preserve the integrity -rf^ji message, the message is passed through ari 
algorithm called a cryptographic hashJ^nction* The function creates a compressed 
image of the message lftat can be used rikaa fingerprint. Figure 3 3.1 shows the mes- 
sage, cryptographic hash function, and m^sa^F digest, 

HgUlV 11.1 MttiMige an J digest 




Message 



Message dipcsl 
(fTtfgcrpriat) 

o 



Difference 



The two pairs (doeui i se n t/ti ng&rpr im) and (message/message digt(st) are similar, with 
some differences. The document and fingerprint are physically linl^fcl together. The 
message and message digest can be unlinked (or sent) separately, and. most impor- 
tantly, the message digest needs to be safe- from change. # 



1 he message digest needs to be safe from ciiange, 



sir 



Checking Integrity 

To chwzk. the integrity of a message, or document, we run the cryptographic hash function 
again and compare the new message digest with the previous one. Jf both arc. the same, 
we are sure that the original message has not been changed. Figure 1 1.2 $bows the idea. 



Cryptographic Hash Function Criteria 

A cryptographic hash function must saiisfy three criteria: pre image resistance, second 
prebnage resistance, and collision resistance, as, shown in Figure 11.3. 



SECTION U J MESSAOE INl'EGRflY 34 1 



•Figure 1 L2 Checking integrity 



is changed 

















] 



















Current , 




Message is 
not changed 



Figure 11,3 Criteria o^fcigptagraphic htishfimctiGn 

— — 



CiypAu^niptiLf 1 lash 

;-. :i. ii::n i i:.:-;'.! 



neSbUitiOe 



O 

Freimagti Resistance 

A cryptographic hash function, must be pr^ijfrage resistant. Given a hash function, h 
and y s= h{M), it inust be cxtresncly difficult ^^ve to find any message, M\ such that 
y - h(M f ). Figure 1 1.4 shows the idea. 

4S- 



Figure I L4 Pminui^c 



M: Message 

Hn.sh: Hush, I '.i n-L 1 1 1 ; 1 1 




Given; y 




Hvc 



+ To Bob 



Alice 



7HAPTER / J M!£SSAG££NTEGRny A ND MESSAGE A UTHEfrTtCA 'HON 

If the hash f unction is not primage resistant, Eve can i ntereept the digest h(M) and 
create a message ^Eve can then send VT to Bob pretending it is M. 

" ^ 

r\) Prdrayge Attack 

Given: v = htMQ \^ Find: M' sucb tbat f - h{M'} 



Example 11 .1 /r\ 

Can we lesc a conventional lossle^ompression method such as SlufTTt □$ a cryptographic h^h 
function? \) 

Solution V^. 

W C cannot A lossless compression mcLferfi creates a compressed message chut is reversible. You 
can luicocnprc^a ibc compr^.-ieNi mcss^efcf^et the original one 

hxample 1 L2 ^ 

Gin we use I checksum function 3S a cryptograp^ hash function? 
Solution x\ 

Wft -cuunol. A checksum function is noc prelim^u rdStscfc^t, Eve may find several messages whose 
checksum matches She given one \ 

Second Primage Resistance 



The second criterion* second prciiiiage resist an ctf^isu res that a message cannot 
easily be f urged.. If Alice: creates a message and a digested sends both to Bob, this 
criterion ensures thai Eve cannot easily create another jrjbp^ge that hashes to the e*act 
same digest. In other words, given a specific message ainHts digest, it is impossible 
(or at bast very difficult) to create another message with ttj^tftrne digest. Figure U .5 
shows the idea, \§\ 

Eve intercepts (has access to) a message M and its digest lt^jt)She creates' another 
message MV M a but h(M) = h(JVT). Eve sends the Si* and h(M') to/Bfcb, Eve has forged 
the message, 

Second Preimagu Attack 
G Hffcas M and h(M ) Ftad; M* * M sucli that b(M) 

— o- — 

Collision Resistance vO. 

The third criterion, collision resistance, ensures that Eve cannot find two messages 
that hash to the same digest* Here the adversary can create two message* (oiti of 
scratch) and hashed to the same digest. We will see later how Eve can benefit from 
this weakness in the hash function. For the moment, suppose two different wills cao 
be created that hash tq the same digest. When the time comes for the execution of 
the WiUj the second (forged) will is presented to the heirs. Because the digest 
matches both wills, the 'substitution is undetected. Figure M.6 shows the idea. We 
will see later that this type of attack is much easier to launch than the two previous 
kinds. In other words, we need particularly be sure that a hash function is coll is inn 
resistant. 



SECTIOH I J. 2 RANDOM ORACLE MODEL 343 



Figure 11-5 Stxond pmma^r. 



OWen: M and h(M) 

■JflT such tUfltta * M\ but h(M}= btM*) 



Hush: ina^q liinction 



*- To Bob 




Figure 11.6 Collision ^s-i.ita^ce 



M: Message 
Hash: Haih Functioji 
h(M}: CJiftCEL 




"FiiKti : Mij)rt lyl*" such tfiia MV M", tiul htMJ" = 




Given: none 



Collision attack # 

I- mil; M * thHt h£M) - hCM') 



11. 2 RANDOM ORACLE MODEL 



The Random Oracle Model, which was introduced in 1993 by Bel I are and Rogaway, 
is an ideat mathematical model for a hash function- A fund ion based on this model 
bch nves as Follows: 

1, When a new message of any length is given, the oracle creates and gives a ]i*cd- 
icngth message digest that is a random string of Or and Is. The oracle records the 
message arid the message digest 

2, When a message is given for which a digesi exists the oracle simply gives ihe- 
digest in the record, 




CHA PTER 1 1 HESmGE INTEGRITY AND MESSAGE A UTNLWlCA 770JV 



4. 



3. The digctf for a new mcssugc needs to be chosen independently from all previous 
digests, ITii^Jfriplies that die oracle cannot use a formula or an algorithm to calculate 
the digest. 



Example /J J 



Assume an oracle with a t 
rhe message* whose digest 
created t'oi these messages 
ihe message, Table 11,1 show 




and a lair com. The table has two columns. Hie left column shows 
e been issued by the oracle. The second column lis is I he- digests 
s time that the digest is always 16 bits regardless of the size of 
example of this table in which the message and the message 




ds^csi are listed rn hexadecimal. Tu> oracle has already created Three digests. 



Tabic ILL OrvclE t£ibU 



Message 



n 



•umg the first thru? digest 



6 



7 23BAE3 8F2M334 57AC 



Message Digest 



AE545CD10487-65412A?sAJi6 662BE 



13AB 



A3 SB 



Now assume thai two events occur 



The message AH 1234CDB765BDAD ss given for digest calculation. The oracle checks 
sis [able. This message is not in the table, so the«icle flips its coin 16 times. Assume 
dial result is HHTIimnT HTMmiTH p in whsAhJheietter H represents heads and the 
Icitcr T represent lails, The uraele interprets H aswt-hk and T as a 0-bit and gives 
1 101 1 100 101 10001 in binary, or DCB I in hcxadcet^, as the mc^gc dige&t for |% 
mes-Ha^e and adds the note of the message and the dige^^n Ehe table (Tabic 1 1,2). 

Table 11.2 Omul*: table after issuing the fourth digest 



733BAFfJ8F?,AB.'S157AC 



ABl 2 3 4CD87 65 HMD" ' $ ■% 



AB4 5CD1048765412AAADCj662BE 




Mlg€SX 



A3 SB 



b. The message rt523 AH 1 352CQV-:F45 is given for digest, calculation. llvdracJc 
checks lis table and finds that there is a digest for mis message in me table (first ruw). 
The oracle simply i^ives the corresponding digest (13AB). 



Example I J.J 

The oracle in Example 1 \3 cannoi xu& a formula or algorithm to cre-aa: the digest for a niejis^e. 
!-'■'[■ example, imagine ihc oracle uses the I > - 1 r ::■=". ^ i. iM.i :. M :ikhJ -t No-a- su-ppose tlial ^he ojucle 
has already given h(M L ) and h(M{l U t new message: fe presented as M 3 = M L + M 2 , theo*acle 
does not have to calculate ihc h(M^). The new digest is ju*t [h(M t ) *- h[M 2 )j mod n since 



In'Vh.) - - M 7 J i -i":L .■■ . % -S| :!m?g.m i .VW nod - [hiM L ) - hiM^iJ moii ' = 



\ 



SECTION / 1.2 RANDOM ORACIJi MODEL 



this violates the third requirement that each digest must be randomly ehown based on the mes- 
saaqneivert to the oracle. 

Pi£e<m)iole Principle 

The first^jd ■:g ikjluJ Li) h:; familiar with Co understand ihe analysis of r iie Random 
Oracle M^S^I is the pigeonhole principle: if n pigeonholes arc occupied by n ■+ I 
pigeons, tbert^y .least one pigeonhole is occupied by two pigeons.The generalized ver- 
sion of the pige^ahole principle is thai if n pigeonholes are occupied by in + I pigeons ; 
then at least oTiVpi££onhole is occupied by fc + 1 pigeons. 

Because thewjjols ictea of hashing dictates that the digest should be shorter than 
(he message, acctJr^ng to the pigeonhole principle there can be collisions. In other 
words, there are soii^ijligestjj thai correspond to more than one message; the relation- 
ship between the possi^messages and possible digests is many-to-one. 



Exampte IL5 



Assume that the messages in a haAh function are 6 bits long arid ihe tligesls are only 4 bits. long. 
Then the possible number of digrmjCp^^nholcs) is 2* = 16, and the possible number of mes- 
ons) is 2* ^ 64. This m(^ns n = 16 and kn + 1 = 64, so k ifi larger than 3. The conclu- 



sion is that at least one digest corresr^j^Js in four (Jt +■ L ) messages. 

Birthday Problems ^) 

The ^x.o\iO rbmg we :o know bzftfi analy/sn^ ihe kaudom Orade MemIcI is 'he 
famous birthday problems. Four differen^sthday problems are usually encountered in 
the probability courses. The third problem, stffretimes referred to as birtfuiny paradox, h 
the most common one in the Litemlure. FigiJre^J^? shows the Idea of each problem, 



Figure 1 1*7 Four birthday pF&Bfems 



o 



Kc1 of vaSkies 




Predefined 



Equal witls 

t'i in 



5eL yf values 
• ■■ -■ — 




a. Firfet proMcm 



b. Second problem 



Set of value* 



Set of vaSu-ey 




E5qual with 

1/2 




c. 'I'hiTd problem 



Equal with 
d. Fourth probicm 




7HAPTER } ! MEXSA&JmEGRITY AND MESSAGE AUTHENTICATION 
Description <if Problems 

Below die birmo^&ttems are described in terms that can be applied to the security of 
Nash functions. NmefyUe tern, 100 i n all cases means with (he probability P > 1/2, 
U Problem 1: What iS^miniinum number, t, of students in a classroom such that it 
is Itkefy mat at leasi^student has a predefined birthday? This problem can he 
generahsed as follows^ have a uniformly distributed random variable with N 
f SS, ? e k ValueS OBtwwn^nd N-l). What is the minimum Dumber of instance, 
« such that it fcfejj, that ^tjsast one instance is equal to a predefined v^uc? 
Problem 2: What is tins minium number, i, of students in a classroom such that it 
JS Ittefy that nt leasL one studWas the same birthday as the student selected hv 
the professor,' This problem ca*4e generalized as follows. We have a uniformly 
distributed random variable with *3p\>ssible values (between 0 and N- 1) What is 
the minimum number of instances, K^uch dial it is likely that at least 
is equal to the selected one'' 

□ 



□ 



one instance 



J 



Problem 3: What is the minimum numb^*, of students in a classroom such that il 
is likely that at least two students have Wsame birthday? This problem can be 
generahzed as follows. We have a uniform^istributed random variable with V 
possible values (between 0 and JV- 1). Wha&s the minimum number of instances, 
ft, such that it is finely that at least two instanctQae equal? 
iVoblem 4: We have two classes, each with k s tu«iem> What is the minimum value 
of £40 that it is likely that at least one student fratf® fi ra[ classroom has the same 
birthday as a student from the second classroom? TWoblcm can be generalized 
as follows. We have a uniformly distributed randomTariablc with N possible val- 
ues (bet ween 0 and ff - l). We generate two sets of Slom values each with it 
instances. What js the minimum number of, *, such thatiksWy thai at least one 
instance from the first set is equal to one instance in the **&M set'' 

Summary of Solutions Q 

Solution to these problems an. given in Ap^ndix E for bleated re^S* The mM 
are summarized in Table 1 13, 



f bhle 11 .3 Summarized solutions to pur birthday problems 

r — — — 



Problem 



I 



V 



Probability 



P *= l - e 



-A/.V 



Pwg |. E -tt-i>W 



![.[]/(! -P)]XJV 



* -{2lnll/(L-P)]} lffl x.JV !>2 



£='0.69x r Y+ 1 
A* l.l&x.Y 1 * 




h ■ a, 



16 



Hio shaded valuers, is the soluaon to the classical birthday paradox; if there are 
,fusi 23 students in a classroom, ir is likely (with P > 1/2) that two students have the 
same birthday (ignoring the year they have been horn) 



SECTION ft. 2 RANDOM ORACLE MODEL 347 



if 

Co 



amponson 



Th^sf lue of k in problems I or 2 is proportional to the value of k in problems 3 or 4 
is pfWrtional to N m . As we will sec shortly, the first two problems are related to ppfr 
Imagc^jid second preimage attacks; the third and the foty-tfci problems are related lo the 
ci>JE[sioVntuek. The comparison shows it is much more difficult to launch a prcimage 
or ^eon^eimage attack than to launch a collision attack. Figure J LS gives the graph 
of P versus(^)For the first arid second problem only one graph is shown {probabilities 
are very closq^'hc graphs For the second mid the third problems are more distinct. 




Figure 1LH 



.7 raj? 



&f jour hirikt&y problems 




Pm>E and &ecoihl problems 
Fourth pcttbteiiu 



iu-zh 30 *G 50 



150 



Z50 



p- i 



Attacks on Random Oracle Model 



To better understand die □ ature of the hash funetiun^yid the importance of die Random 
Oracle Model, consider how Bve can attack a hash fusion created by the oracle. Sup- 
pose that the hash function crepes digests of n bits. Then the digest can be thought of 
as a random variable uniformly distributed between 0«5uid N - I in which N - 2 h . in 
other words, there are 2" possible values for the digest; d^cii time the oracle randomly 
selects one of these values for a message, Note thai this d^ not mean chiii \hc s flec- 
tion is exhaustive; some values may never be selected, but may be selected sev- 
ered times. We assume that the hash function algorithm is pubheand Eve knows the size 
of the digest, n. 

Prdnwge Attack. 

Eve has intercepted a digest D = h£M); she wants to find any message M* such thai 
D - h(M'). Eve can create a list of Jt messages and run Algorithm 11.1. 

The algorithm can find a message for which D fs the digest or it may fail. What is 
the probability of success of this algorithm? Obviously, it depends on the size of list, Jt 
chosen by Eve. To find the probability, we use the first birthday problem. The digest 
created by the program defines the outcomes of a random variable. The probability of 



CHAPTER tl MESS A 




NTEGHflV A ND MESSA GE A UTHEtoTICA TIO\ T 



N T is a temporary digest 



Algorithm 11. 1* Pn> image mtzlck* 

FreimuEe^AttackS^ 

for (i * I to k) Q>. 

create (M QO 
T<-h(MH) (?) 
if (T^D) return M[f] V 

return failure 

success is P ^ 1 - e"*^. If Eve- needMjpfee &i least 50 perceni successful, what should 
bfi the size of k r ? We also showed this, v*lucyi Table 11.3 for the Jirst birthday problem; 
k * 0.69 x N ¥ at 0.69 x 2 H . In othf^words, for Eve Eo be successful more than 
50 percent of the time, she needs to create Ost of digest that ss proportional to 2". 

: 

Tbu difficulty of & preirnage att*c1us proportional to 2 . 

A cryptographic hash function u&cs a digest of 64 bits. HuHy^Jiy digests does Eve need to create 
lo find the original message with the probability more than Bo? \ 

Solution 



"Hie number of digest* to bfc treated i.s £ ■= fj.fi*? x 3 n == D.o ( .> x ^vjMs is a large number. Even if 
Eve can create 2 (aJrnost one billion") messages per second, st X 2 ' seconds, oi more 

than 500 years, This means that a message digest, of size 64 bits is $c£krc with respect to preim- 
age attack, but, as we will see shortly, is not secured Ed collision attac^;^^ 

Second Preimagc A thick O 

Eve has intercepted a digest D- h(M) and the corresponding message M; she wants to 
lind another message M' so that h(M') = D. Eve can create a list of k 3 messages and 
run Algodti i m 1 1 .2. Q\ 

r O 

A E^o r i I b n i 11.2 Second prtp^stg^ utt&ck 



S*cond_Pi ei ma^e_ A Itack ([). Mi 




<7 


t 

far(f = 1 lok-l) 
! 

create (M [rl'i 










T ir- h {M 


ft T is a temporary digt^L 




if (T - D) return M fjf 

1 

) 











SECl lON I L 2 RANDOM ORACLE MODEL 34!* 



The algorithm can find a second message for which D is also the digest or it may 
• fail. What is the probability of success of this algorithm? Obviously, it depends on 
of list, k, chosen by Eve, To find die probability, we use the second birthday 
nRertS£.m. The digest created by the program defines the outcomes of a random variable. 
ThSWbabtlity of success is P 1 - e - ^ ~ l ^ If Eve needs to be at least 50 perceul 
succffsgjai, what should be the size of k? We also showed this value in Table 11.3 for 
the second birthday problem: k = 0.69 X N +1 or Jt ^ 0.69 x 2" + 1 . In other words, for 
Eve to beXsuccessfiil more than 50 percent of the Lime, she needs to create a list of 
digest that(^)proportiojial to 2 n r 

:X 

'rt^difficulty of a second preimagt attack is proportional to 2". 

$ 



Collision Attack 



cornea; 



Eve needs to find two- messages, M and M'; such that h(M) = bf$A% Eve can, create a 
list of £ messages and itfq Algorithm 11.3. 

Algorithm UJ Collision mmck 

^ 



( 'nl lis ion_.\ (tuck 



i 



for (t = 1 to k ) 

i 

create (M[iJ) 
Dfi] ^- h IMli]) 
for{j= ] to i— 1) 

i 



o 



// D [/] is a list of created digest;; 



! 



if (D[ij = D[j]) tecum {M[f] and M[/]Jj\ 

} rO 

O 



r 



return fai tufe 



Igoritlnn can find two messages with the £ame digest What is the proba- 
bility of success of this algorithm? Obviously,, it dep^nSs^m the size of list r k m chosen 
by Eve, To find the probability, we use the third birthday <£jjfcblem. The digest created 
by program defines the outcomes of a random variable. The probability of success is 
P - I — few -1 *^. if Eve needs to be at least fifty percent successful, what should 
be the size of k7 We a] so showed this value in Table I L3 for the third birthday prob- 
lem: k ■ 1 ,18 x N 1/2 , or it « 1. IS X 2^ 2 . in other words, for Eve lo be successful 
more than 50 percent oi the time, she needs to create a list of digests that is propor- 
tional to 2 nfl . 



t he difficulty of a collision Hltudk h proportional ta 2 




(AFTER II MESSA GkyfTEGRITY AND MESSAGE A UTHENTICA TION 

\ 

Example J A 7 

A cryptographic hasr? fiiuction uses a digest of 64 bits. How many digests docs Eve need to create 
to find lwe- messages mJnihe same digest with the probability more thitn 0.5? 

Solution v 

The mini bet ui io tippled is Jt - 1-1 R x 2^ * LIS x 2 32 . If Eve can test 2 s * (almost 

enc million) messages per se&Ql, it lakes LIS x 2 ] 2 seconds, or less than two hours. This means 
that a message digest of size 64 is not secure agamst ihc collision attack. 

The previous- collision attack may mStftt uscfol for Eve. The. adversary needs Lo create 
two messages, one real and one hq^As h that hash to die same value, Each message 
should be meaningful. The previous ar^oiitiim.does not provide this type of collision, 
The solution is. (o create two meaning™) messages, but add redundancies or modifica- 
tions to the message to change the contci^sof the message without changing the mean- 
ing of each. For example, a number of messes can be made from the first message by 
adding spaces,, or changing the words, or addj^sorne redundant words, and soon. The 
second message can also create a number of messages. Let us call the original message 

M and The bogus message M'. Eve creates k dffifepMSt variant of M (M Js M 2 , iA k ) 

and k different variants of M f {M\ m M' 2? M^ r Eve then uses Algorithm 1 1.4 to 
launch the attack. 



Alternate Collision Attack 



A l^or ithm 1 L4 A fi* jtujjp noltls&n attack 



A ltemate_Cnilbii*>n_ Attack (M [k] 7 M'[Jt)> 
[ 

for U = 1 to if J 
I 

SB) h (M[i]> 
Dr[i]^h(M'[il) 

if (D [i] = D T [j]) rthim (M[i\. M'[fi) 

] 

return failure 

} 



o 



O 



What is the probability of success of this algorithm? Obviously,, it depen^pn the 
size of ihq list, k, chosen by. Eve. To find the probability, we use the fourth Iff&hday 
problem. The two digest lists created by program defines the two outcomes of a random 
variable. The probability of success is P - I - e w . If Eve needs to be at least 50 per- 
cent success Ail, what should be the size of it? We also showed this value in Table 1 1 .3 
for the fourth birthday problem: k = 0,83 x N [a or Jt *= 0.83 x 2"* In other words, for 
Eve to be successful more than 50% of the time, she needs to create a list of digests that 
is proportional to 2^. 



The difficulty of an uUemitriye collision attack is pmportlunal ti> 



SECHON 1 7,2 RANDOM ORA CfiT MODEL 35 1 



ummary of Attacks 
#, ^Je 1 1 .4 shows the level of difficulty lor each attack if rh& digest is n bits. 

Table 1 1 .4 Levels of difficulties for each type of attack 



■ Attain 



^Second preimage 



Lsion 



nate collision 



■■■ 



k= Lift x 2 



fc*0.B3x2 




Table lL4 N Sbows that liie Older, or the difficulty rale of ihc attack, is much less for 
collision attack liia^for preimage or second preimage attacks. If a hash algorithm is resis- 
tant to collision, wdbffcwld not worry abouL prcimagc and second prcima^e attacks. 

Example 11.8 ^ 

Originally hash furictionsXrijfra 54-bit digest were bclkv&d to be immune to collision attacks. 
But with Hie increase in the £nxx£$ins; speed, today everyone agrees that these hash functions are 
no longer secure. Eve needs. <nty - ^ 2 fegfc to launch an attack with probability 1/2 or 
more. Assume she can perform (one million) ilt.kis per second. She cart launch an attack, in 
2* 1 fiF } - 2 11 seconds (almost ann^j). 

Example 11.9 # 

MD5 (see Chapter 12), which was ort^ the standard hash functions fora crcat£S 
digests of 1255 bits., To launch ft collision attack, (he adversary needs to leest (2 nm ) ic*te in the 
collision algorithm, liven if the aJvetsarf^anjKrfonii 2 i0 (more than one billion) tests in a sec- 
ond, it takes 2^ seconds (more than 500 ycW) to launch an attack. This, type of attack is hascd 
on the Random Oracle Model. It has been pr^^thai MD5 can be attacked on less than 2^ tests 
because of the structure of the algorithm- 

Example 11.10 

SKA- 1 (see Chapter 12), a standard hash function de(ej)y 
The function is wricks, 'lb launch a collision attack. \h 
in Ihe collision ;i|&oriiiii:.. Eivcn i: die ndvcrsai v' can penW-ii 2 V " cnorc -hur: mic hUSton) iesls iji a 
second, il takes 2 50 seconds (more than ten thousand Va^rs) to launch an attack. However, 
ru&earchers have discovered some features of the function tfja^llow it to he attacked in less time 
than calculated above. ^) 

Example IL 11 

The new hash function, thai is likely to become. NlST standard, is SHA-512 (see Chapter 12). 
which hfli a 512-bit digest, This function is definitely resistant to collision attacks based on the 
Random Oracle Model. It needs 2 $im = 2™ Jests to find a collision with the probability of 1/2. 

Attacks on the Structure 

Ml discussions teMed to the attacks on hash functions have been based on an ideal 
cryptographic hash function that acts like an oracle; they were based on the Random 
Oracle Model. Although this type of analysis provides systematic evaluation of the 
algorithms, practical hash Functions can have some internal structures, that can rnafce 



by NIS I"! creates digests of 160 bits, 
Iversary needs to test 2 



^-2** tests 



f AFTER // MESSAtS^grTEGRirr AND MESSAGE AlTTHENTf CATION 

them much weaker, It is not possible tp make a hash function that cream digests thai, 
are completely rafidoin. The adversary may have other tools to attack hash function. 
One of these tools, Wj*amp]e n is the meet-in-the-middle attack that we discussed in 
Chapter ft for doubEe 



L We will see in die next chapters that some hash algorithms 
are subject to this Lypc ^0attack These types of hash function are far from the ideal 
model and should be avoi^eft 



11 ,3 MESSAGE AUTHENTICATION 

A message digest guarantees the nudity oi a message. It guarantees that the message 
has not been changed, A message <%jst h however, does not authenticate the sender of 



the message. When Alice sends a m&s§afce to Bob, Bob needs to know if the message is 
coming from Alice. To provide messa^jVuthenti cation, Alice needs to provide proof 
that it is Alice sendi ng the message and m^&n impostor. A message digest per se cannot 
provide such a proof Hie digest created bv> cryptographic hash function is norma I lv 
called a modification detection code (MDQ^e code can detect any modification in 
the message. What we need for message authorisation (data origin authentication) is 
message authentication code fMAC). 



Modification Detection Code 



CO 



at can prove the integrity of 
ds to send a message to Bob 



A modification detection code (MDC) & a message digest 
the message: tha( message has not been changed. If Ali 

and be sure that the message will not change during transmT^n, Alice can create a mcs^ 
sage digest, MDC r and send botJi the message and the MD<Kx&>b. Bob can create a a Lew 
MDC from the message and compare the received MDC annMMe new MDC. If they are 
the same, the message hm not been changed. Figure 1 1 ,9 shovv^fcak idea. 



Fi gune 1L9 Modification defectum code (MDC) 




Hiuih: CrvjJEOjSTEphic tlflsh flinctioEi 
MDC: Mfkiif'EcaSioLi ttetiiciinn code 



Reject 



Figure 11$ shows thai the message can be transferred through an insecure chan- 
. Eve can read or even modify the message. The MDC P however, needs to be trans- 
red through a safe channel The term safe here mean* immune to ehange. If both the 



- 



SECTION J iJ MESSAGE A U17IFimCA 'HON 351 



^^ncssage and the MDC are sent through the insecure channel Eve can intercept the 
message, change it, create a new MDC from the message, and send both to Bub. Bob 
(lever knows that the message has come from Eve. Note that the term safe tan mean a 
trio4d>party , the term channel can mean the passage of lime. For example, if Alice 
malign MDC from her will and deposits it with her attorney, who keeps it locked 
away mpd her death, she has used a safe channel. 

Alivtroites her will and announces it publicly (insecure channel), Alice makes an 
MDC froY^e-niessage and deposits it with her attorney, which is kept until her death 
(a secure channel), Although Eve may change the content* of the will, the attorney can 
create an MD£r&Dm the will and prove that Eve's version is a forgery. Lf the cryptogra- 
phy hash fumS^ak used to create the MDC has the three properties described at the 
beginning of thia^iapter, P>c will Eose. 

Message Authe^^tion Code (MAC) 

To ensure the integrity ^tbe message and the data, origin authentication — thai Alice is 
the originator of the message, not somebody else — we need to change a modification 
detection code (MDC) iSTa^essage authentication code (MAC). The difference 
between a MDC and a MACjs rbat the second includes a secret between Alice and 
Bob — for example, a secret k^Ahai Eve does not possess- Figure 1 1 /1 0 shows the idea 

. . 

Figure 1 1 . 1 0 Ms ssngs mahtniicdffii cods 



\5 



Dub 




MAC 



Insecure chssnrfel 



M: Message 

MAC: Message -aulbcnricarieiLi. code 
Sew e[ !-;^y 




Accept 



Rtjea 



O 



A 3 ice uses a hash function to create a MAC from the ci^K^lcnation of the key and 
the message, h (KIM). She sends the message and the MACfto Bob over the insecure 
channel. Bob separates the message from the MAC. He then makes a new MAC from 
the concatenation of the message and the secret key. Hob then compares the newly ere 
ated MAC with the one received. If the two MACs match t the message is authentic and 
has not been modified by an adversary. 

Note that there is no need, to use two channels in this case. Bod) message and the 
MAC can be sent on the same insecure channel. Eve can sec the message, but she can- 
not forge a new message to replace it because Eve does not possess the secret key 
between Alice and Bob. She is unable to create Lhe same MAC as Alice did. 



HA PTEB t i WiSSA&tJtfrFGM t '¥ AND ME5SA GF. A UWENHCA TfQN 



Security of a MAC 



% 

The MAC rarbave described is referred to as a prefix MAC because (he secret key is 
appended to the beg inning of the message. We can have a postfix MAC, in which the key 
is appended to the the message, We can combine the prefix and postfix. MAC, with 
die same key or two different keys. However, the resulting MACs are siiU insecure. 

Suppose Eve has intjejnceptte^lne message M and the digest h(KIM). Hciw can Eve forge 
a message without knowiiig^j^ccret key? There are three possible canes: 
L Et the size of the key aUowYg^austive search, Eve may prepend all possible keys 
at the beginning of the mes^e and make a digest of the (KIM) to iind the digest 
equal to the one intercepted, ^hVdien knows the key and ean successfully replace 
die message with a forged mesw^.of her dimming. 

2. The size of die key is normally vcfrfrlarge in a MAC, but Eve can use another tool: 
the preirnage attack discussed in XWithiri I LL She uses the algorithm until she 
finds X such that h(X) is equal to the MAC she has intercepted. She now can find 
die key and successfully replace the nia^asc with a forged one. Because the size of 
die key is normally very large for exhaustive search, Eve can only attack the MAC 
using the pre! mage algorithm. <^> 

3. Given some pairs of messages and their M^£ T Eve can manipulate them to conic 
up with a new message and its MAC ^ 



The security of a MAC depends on flw security ef 



derlyin^ hash algorithm. 



Nested MAC 

To improve the security of a MAC nested MAC* were dSLed in which hashing is 
done in two steps. In the first step, the key is cone atenatedSAh the message and is 
hashed to create an intermediate digest. In the second step, ihe J^is concatenated with 
the intermediate digest to create the final digest, f igure 11.32 sheathe general idea 

o. 



Figure 1 LI 1 Nested MA C 





1 1 i 










1 


— rJ 







. — — _ .j 

r 


















m 


r 


* 



o 



SECIIONUJ MESSAGE AUTHENTICATION 355 



•NJ&T issued a standard (FTPS 198) for a nested MAC that ts often referred to as 
lt$pAp (hashed MAC, to distinguish it (men CMAC, discussed in die next section), 
Thf^plemefltation of HMAC is much more complex than the simplified nested MAC 
show^p Figure 1 1.1 L There are additional features, such as padding. Figure 1 L12 
shtiws^^detaiis. We go through the steps: 

1. r ITid*msssage is divided into N blocks, each of b bits. 

2. The serasi key is left-padded with O's to create a b-bil key, Note that it is recorn- 
racnded^jngt the secret key (before padding) be longer than n bits, where :n is the 
size of ihviM AC. 

3. The result Itfjstep 2 is exelusive-orcd with a constant called ipad [input pad) to 
create a *-MyHock* The value of ipad is the b/S repetition of the sequence 
001 101 10(36 injfcsadecimal). 

4. The resulting blo^rft prepended to the W-block message. The result is N + 1 block*. 

5. The result of step 4 N b>rTasried to create an n-bit digest We call the digest the inler^ 
mediate I IM AC. ^ ^\ 





Figure 11.12 Details o/HMA ^ 





n bits 
padded lo 



HMAG 



J 



I n b 

■L 

J [MAC 



•H AFTER I / MESsi&K INTEGRITY AND MESSAGE AUTHENTICATION 

% 

6. Th& mtermS&ftate n-bit HMAC is left padded with Qs to make: a b-b\t block. 

7. Steps 2 and ? arc reputed by a different constant opad (output pad) r The Yalue of 
opad is the Wft^^tior} of the sequence 0101 1 100 (3C in hexadecimal). 

8. Tht result of stc|Tj)is prepended to the block of step 6. 

9. The result of step SC^ha^ihed with the same hashing algoriUim to create the Cirml n-bst 
HMAC vp 

CMAC 0- 

HIST has also dctincd a stan<raRi{FrP3 1 13) called Data Authentication Algorithm, or 
CMAC* or CECMAC , The method is similar to the cipher block chaining (CBC) mode 
disccs^eU in Chapter K for symrneyic-key enciphermcnL However* (he idea here is not to 
create N blocks of cipbertext from M^cks of plaintext. The idea Ls to create one block of 
MAC from N blocks of plaintext us-LDjra symmetric-key cipher N times. Figure 11.13 
shows the idea. \" 




■L'MAC funclinii 



nz O bits 



K 

D 



jj-birCMAC 



Livery ption 
aEgjoritti 1 1 1 



Mulsiply 
by ji or ? 



o 



The message is divided into N blocks, each m bita long. "IIlc siie of the CMAC is 
ft bits. If the last block is not m bits, it is padded with a 1-bit followed by enough Orbits 
to make it m bits. The first block of the message is encrypted with the symmetric key 
to create an rat- bit block of encrypted data. This block is XORed with the next block 
and the result is encrypted again to create a new m-bit block. The process continues 
until die JasL biock of the message is encrypted- The n Leftmost bit from The la At block 
is the CMAC, Tn addition to the symmetric kev H K_, CMAC aJso uses another kev, k. 



SECTION i U KEY TERMS 357 



which is applied only at the last step, This key is derived from the encryption algo- 
rithm will) plaintext of m 0-biis ussn^ the cipher key, K- The result, is then multiplied 
\$>x if no padding is applied and multiplied by jc 2 if padding is applied. The miillipli- 
ofltfjm is in GF(2 m ) with the irreducible poly horns al of degree m selected by the partic- 
iif&wotocol used. 

vfalfe that this is different from the CBC used for cqnfidentialitv T in which the out- 



put ofytfach encryption is sent as the cipbertexl and at the same lime XORed wiih the 
ne?U plaOuext block. Here the intermediate encrypted blocks are not sent as ciphertexi; 
they arc n(fffy oscd to be XORed with the next block, 

^ — — 

11.4 RECOMMENDED READING 

The following bquukft and websites give more details about subjects discussed in. this 
chapter. Hie itemsxrj^osed in brackets refer to die reference list al the end of the book. 

Books y>* 

Several books that giv<^ good coverage of cryptographic hash functions include 
IStiOol, (StaOtil, {Sch99! fl^ofH^ [KPS02], [PHS03], and [MOV96J- 

WebSites 

I i i.; hrJowiiiji websites give information about topics discussed in this chapter. 



hi ip;/A: n . wi k i pedi a .o^wiki/PrdniatfcSiHack 
httpr//^.wikipcdia,e[^mld/Gulim 
http://en.wiki pEdia-org/wiJd/Pigconhole .principle 



:i i. .: 



Imp ://en . vw ik i [^i^.or^wiki/frto-Sis&e_:au 
hup;//tn.wildpedia.oi^idk^^ ■ - v 
cSrc.rust.gov/pubhc^doDs^ps/fEps 1 9)Savpilf 
hti£j/wwwiaqs,:bEg^ 
hilp://eii,wikipedia-o^^ 



11.5 KEY TERMS 

birthday problems 
CB C MAC 
CMAC 

collision resistance 

cryptographic hash function 

hashed message authentication code (HMAC) 

input pad (ipad) 

message authentication code (MAC) 
message digest 




message^gest domain 
modification detection code (MDC) 
nested MAC 
output pad (opad) 
pigeonhole principle 
preimage resistance 
Random Oracle Model 
second preimage resistance 



I AFTER 1 1 MESSA&E% r l EGRiTY AND MESSA GE AUTHENTICATION 




1 1 .6 SUMMARY 

□ A fingerprint or a^if&ssage digest can be used to ensure the integrity oi" ll docu- 
ment or a rnessagcYTiaensure the integrity of a document, both the document and 
the fingerprint are noeuoEL; to ensure die integrity of a message, both the message; 
and the message digS^Pare needed. The message digest needs to be kept safe 
from change. 

□ A cryptographic hash tune(^>i creates a message digest out of a mes.sage.The func- 
tion must meet three crireria^^;mage resistance, second preimage resistance, and 
co] ! isi on resistance . ^ 

□ The first criterion, preimage reliance, means that it must be extremely hard for 
Eve to create any message from the digest, the second criterion, second preimage 
resistance, ensures thai if Eve haUi\nessage acid the eonres ponding digest; she 
should not be nb!e to create a sccond^ssage whose digest is the same as the first. 
The third criterion, collision resistancey^isures that Eve cannot find two messages 
that hash to the same digest ^ 

□ Tile Random Oracle Model, which was inffraJuced in 1993 by Bellare and Rog- 
away,, is an ideal mnthematical model for a Ra>^ function. 

□ The pigeonhole principle states that if n pigeofihales are occupied by n +t pigeons, 
Then at least one pigeonhole is occupied by two >f£cons .The generalized version of 
pigeonhole principle is thai if n pigeonholes are Occupied by tot + 1 pigeons, then 
at least one pigeonhole is occupied by k + 1 pigeon v (T) 

□ The four birthday problems are used to analyze thev^fcaridom Oracle Mode]. The 
first problem is used to analyze the preimage attack^ thq^eond problem is used to 
analyse the second preimage. attack, and the third find the fcvrth problems are used 
to analyze, the cod i sion attack. >s ^c\ 

Q A modification detection code (MDC) is a message digest tJm^ais prove the integ- 
rity of the message: that the message has not bt^n changed . >( T*-imve die integrily 
of the message and the data origin authentication, we need to chiQka modification 
detection code (MDC) to a message authentication code {MAC^bhe difference 
between an MDC and a MAC is that the second includes a secrej between the 
sender and the receiver. ^ 

□ NIST has issued a standard (FTPS 198) for a nested MAC that is often" pefcrred uj 
as HMAC (hashed MAC). NIST has also defined another standard (WjE^ 1 13) 
called CM AC, m CBCMAC. 




11.7 PRACTICE SET 

Review Questions 

1. Distinguish between message integrity and message authentication. 

2. Define the first criterion for a cryptographic hash function. 

3. Define die second criterion for a cryptographic hash function. 



SECTION H. 7 PRA C77CV£ SET 359 

% 

Define Ute ditrcl criterion for a cryptoj^raphie hash function. 

•5. Define the Random Oracle Model and describe its application in analyzing attach 
tVeri liaah fundi ions, 

Lte the pigeonhole principle and describe Us application in analyzing hash 
itions. 

7, Defef^the four birthday problems discussed in this chapter. 

8. Amoi^e each birthday problem with one of die attacks on a hash function. 
9r Disting^i between an MDC and a MAC. 
1 0 . D ist ingiVi^Jie twecn HMAC and CMAC. 



Exercises 



11. in die Randonirftjacle Model, why dots the oracle need to make a note of the 
digest created for a^tfiessage and give die same digest for the same message'. 7 



1 2. Explain why private-pjifclic keys cannot be- used in creating a MAC. 

1 3. Ignoring the hirth rnontt^ how many attempts, on average, are needed to find a per- 
son with the same birth date as yours? Assume that all months have 30 days. 

14. Ignoring the birth montftrlWv many aHenipts, on average, are needed to find two 
persons with the same birt^ aatc'.' Assume that all months have 30 days. 

15. How many attempts, on avc£^c, are needed to find a person the same age as you, 
given a group of people bom after 1^50? 

[ft. How many attempt on averag^a^e needed to find two people of the same age if 
we look for people bom after 195^^ 

17. Answer the following questions ab^ro^a family of six people, assuming that the 
birthdays are uniformly distributed throtwh the days of a week, through (he days of 
a month, through each month of a ye^rmd through the 365 days of the year. Also 
assume that a year is exactly 365 days amJcach month is exacdy 30 days. 

a_ What is the probability that two of the^^aanly members have the same birthday ? 
What is the probability that none ol ihemQl-c the same birthday'? 

b. What is the probability that two of the fan^ members are bom in the same 
month? What is the probability thai none of thgm were bom in the same month'.' 

c. Whalis the probability that one of the farnhy n^ljibers is born on the first day 
of a month? q 

d. What is die probability that three of the family mep^ers are born on the same 
day of the week? r 

What is the probability of birthday collision in two classes, one with A students and 
the other with I students? 

ly. In a class of 100 students, what is die probability that two or more students have 
Social Security Numbers, with the same last four digits? 

20, There are 100 students in a class and the professor assigns live grades (A, C, D h 
E) to a test. Show that at least 20 students have one of the grades. 

21. Docs die pigeonhole principle require the random distribution of pigeons to the 
pigeon! io ■' 



CHAPTER H \H<S. 




INTEGR ITY AND MESSAGE ALfl'HENTICA TIQN 



24 



22. Assume mat Eve is determined Lu Bind a preimage in Algorithm 1 LI Wliat is iht^ 
average nuftil>er of times Eve needs to repeat the algorithm? 

23, Assume Evc\tfd^Ermined Co find a collision in Algorithm 1 1.3 What is the aver- 
age number ul ^pHes Eve needs to repeat the algorithm? 

Assume we havu^Wy simple me^sa^e digest. Our unreal isiic message digest is 
just one number btft^cen U and 25. The digest is initially set to 0. The crypto- 
graphic hash functio^S^lds the current value of the digest to the value of the cur- 
rent character (betwe^n^kand 25), Addition is in modulo 26- Figure 1 1.14 shows 
I he idea. What is the vahj^of the digest if the message is "HELLO" 7 Why is this 
t not secure? ^ 



Figure 1L14 Exercise 24 



1S1 











! 














j I li n-il.hrn I ~T J 
Digest | | — 


• V 



2? Lk us increase i he complexity of the previous exerciseTWe- take the value of tile cur- 
rent character, substitute it with another number, and thwaSd it to the previous value 
of the digest in modulo 100 arithmetic. l~he digest is init$a)l\; set to 0, Figure 11.35 
shows Lhc idea. What is the value of the digest if the mcss'ti^T)* "HELI -O"? Why is 
t h is d igest not Secure? £\ 



Fipu re 1 L 15 Exercise 25 



character 



H niih ipg 
Litg-DnEtim 




9. 



SECTION H. 7 PRACl'lCF. SET 



4.. 



m Use modular arithmetic to find the dige&t of a message. Figure ] ] , 16 shows the 
► procedure. The steps are as follows: 

^ L ihe length of the message digest be n bibs, 

^ Choose a prime number, p p of fi bits as the modulus, 

C^^present the message as a binary number and pad the message with extra 0*s 
v^pmake it multiple of m bits. 

d. P^ifl the padded message into A' 1 blocks, each of wr hits. Call the rTJt block 

e. Cbof^p an initial digest of ft bits, H 0 . 

f. Rcpe^Jn; following N tim.es: 

y>* H ( = (H M+ X^mou> 

g. ITie diges^A H /V , 

What is the vaW>f the digest if the message is "HELLO"? Why is U ris digest not 
see u re? ^ 

Figure EMn:Lw)tf?' 





Message, N m-b'it blocks 




27. A hash function, called Modular AridimedcQ^ire Hash (MASH), is described 
below, Writ* an algorithm to calculate the digest, given the message. Find the 
of a- message of your own. » 



a. Let Che length of the message digest be N bits. Q 
h. Choose two prime numbers, p and q. Calculate A/Qj, 

e. Represent the message as a binary number arid pad flSpriessage with extra Qs. to 
make it a multiple of N!2 bits. N is chosen as a multiple of 16, less than the 
number of bits inM. 

d. Divide the padded message into m blocks, each of N/2 bits. Call each block X, 

e. Add the length of I he message modulo N/2 as a binary number to the message, 
This make* the message m + 1 blocks of N/2 bit a. 

f. Expand the message to obtain m + | blocks, each of N bits as shown below; 
Divide blocks X 3 to X m into 4-bit groups, Insert 1111 before each group. 
Divide block X m ^ into 4-bit groups. Insert 1010 before each group, 

Call the expanded blocks Y h Y 2h - . T Y n)t[ 




-HA PTER / ! WWSZQE INTBORflY A ND MESS A GE AVI H&YI'fCA TfON 

g, Choose an initial digest of N bits, ll^y 

h. CboOfje y # L-(uisl;int K of N bits. 

L Repeat Lhi:l|jy^wing m + I limes (Tj and are intermediate values). The "II" 
symbol mearmo 'concatenate. 

X = t(H M * ^tS^K) 257 mod M - H d mod ^ H- = H-_] + G y 

j. The digest is H^ + Y^L 

28. Write an algorithm in^^sy decode to solve the first birthday problem (in general 
form), QO 

29. Write an algoriLhm in psei5^#code Lo solve the second birthday problem (in general 
form), y** 

30. Write an algorithm in pseudotf^Je to solve the third birthday problem (in general 
form). 

31. Write nn algorithm in pseudocode <ttfeo]ve the fourtJc binhday problem (in general 
form), \ + 

32. Write an algorithm in pseudocode fbrBI^AC. 

33. Write an algorithm in pseudocode for CMAC 

<s> 

o 




tographic Hash 



\ 

Objectives^ 

Tliis chapter has 5(p£ral objectives: 

□ To introduce ge^eWl ideas behind cryptographic hash functions 

U To discuss the Me^e-Daingard scheme as the basis for iterated hash 
functions O 

□ To distinguish bet we two categories of htish functions: those with 
a compression function ipade from scratch and those with a block 
cipher as the comprcssicjOunction 

□ To discuss the structure of > SHA-512 as an example of a cryptographic 
hash function with a compression function made from scratch 

□ To discuss the structure of ifiirlpool as an example of a. crypto- 
graphic hash function with a bloy^ipher as the compression function 

o 



12.1 INTRODUCTION 



As discus&td in Chapter i [, a cryptographic hash (unction sake* a menage of arbitrary 
length and creates a message digest of fixed length \Jfie ultimate goat of Lhis chapter 
is to dtscu.ss the. details of the two must proniising cartographic hash algorithms — 
SHA 5I2 and Whirlpool. However, we first need to dised^jAome general ideas that may 
be applied it? any cryptographic hash function. 

Iterated Hash Function 

All cryptographic hash functions need to create a h^ed-size digest out of a variable-size 
message, Creating such a function is best accomplished using iteration. Instead of using 
a hiLSJi Junction with variable -size input, a funcll&fl with fixed-size input i& created and 
is used a necessary number of limes. The fixed -size Input fundi tin is referred to as a 



3 G 3 



I 



AFTER 12 CRYPT 




PHIC HASH FUNCTIONS 



t&d<m. It a 



Function - 



compress km fuufctTon. It compresses an n-bit strkiig to create an m-bil siring where m is 
normally greater tton m. The scheme is referred to as an iterated cryptographic hash 

Merkle-Damgard SchimQ 

The Merklfs-Damgard sch^e is an iterated hash function thai is collision resistant if 
the compression function is rttttigion resistant- This can be proved, but the proof is left 
as an e*crci^ B Hie scheme is Sobwn in Figure 12, L 



I'i tt 1 l rc 12.1 Mertte-Dtitugimi sviu ' 

2 




function 



Compression 
function 



Compression 
function 



Message 



The scheme uses the following steps: 

1 . The menage length and padding arc appended to the n\w$aafi to create an aug- 
mented menage that can be evenly divided into blocks of n bS^herc- n is the size 
of the block to be processed by the compression function, 

2. The* message is men considered as t blocks, each of n bits.. We dSiach block M 



M 



We call the digest created at t iterations H- 



. we causae i 



3. Before starting the iteration, the digest H 0 is set to a fixed value, nt*ma]]y called 
IV (initial value or initial vector), Q 

4. The compression function at each iteration operates on H M and tA t to enrfifo a new 
H r In other words, we have H z - = /{H M - t M-), where / Ls the compression f^aicm. 

5. Bj. is the cryptographic hash function of the original message, mat is> h(M>. * 



If the compression function in fhe Merkle-DaroKard schema Is collision resistanl 

the hfish function \s a ho collision resistant. 



Two Groups of Compression Functions 

The Merkle-Damgard scheme is the basis for many cryptographic hash functions today. 
The only [hinjj we need to do is design a compression function that is collision resistant 



SECTION 12. 1 INTRODUCTION 365 



and insert it in ihe Merkle-Damgard scheme. There ls a tendency to use two differeni 
^ppmaches in designing a hash function, In the fet approach, the compression func 
Li^kinade from scratch: it is. particularly designed for this purpose. In the second 
apprise h f a symmetric-key block cipher serves as a compression function. 

Hash^^tions Made/rum Scratch 

A set of t^tographic hash functions uses compression functions that are made from 
scratch. The^compn^sion functions are spastica I ry designed for the purposes they serve. 

Message BigsdyiViP) Several hash algorithms were designed by Ron Rivesl. These 
are referred to as>1D2 s MD4, and MD5 5 where MD stands for Message Digest. The 
last version, MD5^ft-ft strengthened version of MD4 Lhat divides the message into 



bfcfcks of 512 bits «fidcreates a t2B -bit digest. It turned out that a message digest of 
size 128 bits is too s^aTUo resist collision attack. 

Secure Hash AlgorithV(£HA) The Secure Hash Algorithm (SUA) is a standard 
lhat was developed by UKMational Institute of Standards and Technology (NIST) and 
published as a Federal InWiation Processing standard (FIP 180). It is sometimes 
refene4 to as Secure Hash ^udard (SHS), The standard is rnoslJy based on MD5 
The standard was revised in ^fe under FIP !S(M H which includes SHA-l. II was 
revised fater under PIP 180-2. wirah defines four new versions: SHA-224, SHA-256, 
SIIA-3S4. and SH A -5 12, Table hj[ lists some of the characteristics of these versions.' 



r [ iabl e 1 2 A Characteristics ofSecurv f(a^i A tgorititms (SNA*} 













:SHA^512 


Maximum Message $im 


2^-1 


O-i 


I 64 - I 




2 ,3a -l 


Block size 


512 




512 


1 024 


1024 


Message digest 


160 


AS* 


256 


3B4 


512 


Number of rourads 


ao 




64 


80 


50 


Wbrd 5-ize 


32 


32 C 


A 32 ^ 


64 


64 



All of these versions have the same structure. SHA-5 12 is discussed in detail later 
in this chapter, 

Other Alguritluiis RACE Integrity Primitives Ev^atitin Message Digest 
(RIPMED) has several versions, R1PKMD-160 is a hasl 
message digest. RIPEMD-160 uses the same structure as lvff>5 hut uses two parallel 
lines of execution. HAVAL is a variable- length hashing algorithm with a message 
digest of size 128, 160, 192, 224, and 256" The block size is 1024 bits. 



Hash Functions Based on Black Ciphers 

An iterated cryptographic hash function can use a symmetric-key block cipher as a 
compression function. The whole idea is that there are several sceuie sym metric-key 
block ciphers, such as triple DBS or AES, that can be used to make a one-way function 
instead of creating a new compression function. The block cipher in this case only 



Of A PTER J 2 Cl^pC}RA PHIC HASH FUNCTIONS 

performs caption. Several schemes have been proposed. We Eater describe one of the 
most promising, Whirlpool. 

Rabin Scheme^M iterated hash function proposed by Rabin is very simple. The 
Rah in scheme is l^ed on The Mcrkie-Damgard scheme. The compression function is 
replaced by any enc^mg cipher. The menage block is used as Lhc key; tSie previously 
erected digest h used ^e phimexL The ciphertext is the new message digest. Note thai 
the size of the digest is (Mfrize of data block cipher in the underEyiu^cryptosystern, For 
example, if DKS is useda^me block cipher, the size of the digest is only 64 bits. 
Although the scheme is verV^ple, it is subject to a meet-fa-the-midcfle attack discussed 
in Chapter 6 t because the ad vop&™ can use the decryption algorithm of the cryptosystem. 
Figure 12.2 shows die Rabin seltfeiue 



F i gu re 1 2 H 2 torfcm ,¥r/«m* 



'adde^Assagit: ? blocks 






H 






m bils 






c 


— * 













Davks^fcycr Scheme The Havies-Meyer scheme i^sica My the same as the 
Rabm scheme except that it uses forward feed to pmtucMH^n&L meet- in-the- middle 

O 



attack. Figure I1J shows the D^vies-Meyer scheme. 



^ 




n bits 


ft bits. 


M, 









n bits 





K 

P C 

Enters 



wi hits 



Message 



Matyaa-Meyer Oseas Scheme The Matyas-Meyer-Oseas scheme is a dual version 
of the Davies-Meyer scheme: the message block is used as the key to die cry ptosy stent 
The scheme can be used if the dsn a block and the cipher key are the same size, For 



SECTION 12.2 SHA-512 



367 



% 

Example, AES i£ a good candidate for this purpose. Figure 12.4 ^hows the Matyas- 
Meyer-Oseas metier tie. 

^ : 



Padded TncKsugp: / htoclc^ 






^ 




■ 




■F 

>k e 

"EiiCrypr 




4 [ 

1 

■ 1 


1 
■ 



Message 



Miyaguchi-Preiiecl Seh0ju? The Miy:ipiichi-Prenecl scheme is an extended ver- 
sion of Matyas-Nleycr-Osca^o make the algorithm stronger against attack, the plain- 
text tlie cipher key, and the ci^prkrtext are all exclusive-ored together to create the new 
digest This is the scheme use tTb^the Whirlpool hash function. Figure 12.5 shows die 
MivuLruehi - Prcnecl .^cliRiine. ^ ^ 

___! 

Figuri- 1 2.5 Mivtiguchi-Prent'ei sctemc 

XJ 

Pruned Iflfltf 




- - - - - ■ 



Message 

digest 



12,2 SHA-512 O 

SHA-512 Is the version of SHA with a 512-bit message digf£#?. This version, like the 
others in die SUA family of algorithms, is based on the MerMe-Damgard scheme. We 
have chosen this particular version for discussion because if is the latest version, it has a 
more complex structure than the others, and it* message digest is the longest. Once the 
s^-ikiure nfthis version is understood, il should uot Ujlr'iw It u> mLdcrsumd the strut 
tures of the other versions. For character sties of SHA-5 12 see Table 1 2. L 

Introduction 

SHA-512 creates u digest of 512 bits from a multiple- block message. Each block is 
1024 bits in length, as shown iu Figure 12.6. 



CHAPTER 12 CRY 




RAPMC HASH fVNCflQNS 



Figure 1 2.6 Message {iigz^t creatitm SHA -5 1 2 

^ 




Au ^mcnEiid message: multiple of lQ24-bi L lih^ ks 



&I-..h.:;s 2 



Block N 



1034 bits 




vaJuc 



512 biT5 

— c~ 





Message 
digest 



The digest is, initialized [o a predElerrausHi value of 312 bits.. The algorithm mixes 
this initial value with the lirs-l block ot the in^raage to create the firs! intermediate mes- 
sage digest of 512 bits. This digesE is then tinned with the second block to create the 
second intermediate digest. Finally, the (jVv l)t(^igest is mixed with the N\h block to 
create the Nth digest. When the last block is processed, the resulting digest is the mes- 
sage digest for the entire message, 

323 bits. This 
it will not be pro- 




Afussage Preparation 

SHA-5I2 insists that the length of the original raessa 
means thai if the length of a message is equal to or great 
cessed by SHA-512. This is not usually a problem because bits is probably larger 
than the total storage capacity of any system. 

Q 



SUA -5 12 sxwUre a 512^bil message digest out of a mussugir 



lu^lh 



an 2 



§2X 



Example 12 J 

This example shows thai the message lengm limitation of 51-1 A -5 12 is not a sCtiXus problem. 
Suppose we need to send a message ihsit is 2 1 " s bits in length. How long does it tS0Jot a com- 
munications network with a data rate of2 M bits per second to send this message? 

Solution 

A communications network that can send S*^ bits per second is no£ yet available. Even if it were, 
it would take many years to send this message. This tells us that we <So not need to worry about 
the SH A-5 1 2 message length rcsliiclion. 

Example 12*2 



This nxnm^ LOrrLt:rn,4 ihe message length in 5HA-512. How many pageu are occupied by 
message of 2' 255 hits? 



SECHON 12.2 SHA-5I2 



369 



/Solution 

iJupposs thai a ulwriLLlur is .12, m 2^. bits. Kach page is less than 2043, or approximately 2 
characters. So 2 1 25 bits need at least 2 m / 2 IS . or 2 1 l0 b pages. This again shows that we need not 
wo^jj^ahout the message length restriction. 

t^engm Hield and Padding 

Before t|"j^riessage digest cam be created f SHA-5 12 requires, the addition of a 128-bit 
unsjgncd^fjWer Jesi^di tield to the message that defines the length of the mess-agc in 
bits. This i^me length of the original message before padding. Ar\ unsigned integer 
field of 128 l@ can define a number between 0 and 2 3 ^ s - 1, which is the maximum 
length of the ravage allowed in SHA-512. The length field defines the length of the 
original me^sagej^fone adding the length field or die padding (Figure 12.7). 



Figure 12 J B^m^Jj$d iengih fizU in SHA 512 







M 


Length;: variable 

■i — — *■ 


4 H 


^ 










messsg<^> 


.Padding 
':JD0OOtWX» .;..Q0G00 





Cm 



MuLLepLc of bit* 



VIULL 



Before the addition of the lengfMic^p we need to pad the original message lu 
make the length a multiple of 1024. We\^serve 123 bitj* for die length field, as- shown in 
Figure 1 2.7, The length of the padding fic(d):an be calculated as follows. Let IMI f>e the 
length of the original message and IPS be thf^pgth of the padding field. 



\^m m 'md 1054: 



The formal of the padding is one 1 followed ^yyhe necessary number of Os. 
Example 123 

What is the number of padding bits if the length of the. ongifial message is 2530 bits"? 
Solution 

Wc can calculate the number of padding bits as follows: 

1£N ^ ( - 2590 -12^:. ]i:skf- 1024 ^ -27 IS mod' I OM^'M* ■■ 

The padding consist of one 1 followed by 33 (> K s. 
Example 12.4 

Do we need padding if die teugih ot' die. original message is already a multiple ejf 1 024 hits? 
Solution 

Yes wc do, betake we need to add die length field. So padding is needed to mate the new block 
a multiple of 1024 bits. 





CHAPTER 12 CRYlRWniA FlflC HANI FUNCTIONS 



Example 12. 

What is the minimum and maximum number of padding bits that cm be added t$J menage? 



frill iliun 



'Hit mini mum ©ftihnf padding i* 0 and it happens when f-M - 12fi} mud 1024 is 0 
J\\k mea™ mar. IWfv -: 



l*^j= -12ft mod 1024 - 836 mod iWA bits. En ntte words. rJic last 

Mock in orgin^ssage is fl« bits. We add a ] 28-bit Leapti field m maka 0 re block 
tompleie, \y 



b, The maxhmim length padding k 1023 and it happen* when HMI-128) = [02 1 mod 
1024. This means that UHfT&ngth of the original message is IMl = (- 128 - 10?3) mod 
1024 or ihe leftglh is IM! =^mod 1024. Tn thiscasc, we cannot just add the length 
tieid because the length of fefet block exceeds one bit more than 1024. So we need !o 
add 897 hits to complete this tjkick and create a second block of K96 b its ft& the 
length L-fm be added to make thfcjikwk complete 

5 12 operates on words; it is word dQ^ted- A word is dclined as 64 bits This 

" ;i ' ;iTi :ii;LT ^ length :*iJ ;,re *lced to the m CSSaet eac orV 

of the me^ge consists of sixteen 64-bit war^Tha message digest is also made of 
&4-b,t words, but the message digest is only eighM&ords and die words are named A B 
C, D, Li, F, G, and U, as shown in Figure 12 8 ^ 

\5. 



Figu rt? 1 2,8 A message black ami the digest as word* \ 



O- 



16 weirdy, e-ach of 64 bite = 1024\^^ 



2)! 



■H 



Message 
dig&s( 



8 WOnJs, caci (jf f>4 biLt = 512 bits 



O 



s — - 










— H 


A 


B 


c 


D 


E 


F 


O 


«1 



o 



SHA-252 is wordnir routed. Each block is I<S wurds; the digest is unlv 



Word Expansion 



' * words. 



Before processing, each message block must be expanded. A block is made of 1024 
bp, or sixteen 64-b,t words. As we will see later, we need SO worth; in the processing 
pht.s^ So the lb- word block needs to be expanded to 80 words, from W 0 10 W™ Fig." 
ure 2.y shows the word-expansion process. The 1024-bit block becomes the first 16 
words; the rest of the words come from already-made words according to the operation 
shown in the figure. 1 



SECTION 12.2 SHA-512 371 



figure 1 2,9 Wm-d i>x{uwsioti in $HA -5 / .? 



Mi* 



Block nf 1 6 words = 1 024 b-LLs 

% 

(J 




w 


n 




V # ■ ■ ■ 






4 A ■ 




VII 





' — — — — — — — — - m-m i% ■ ■ ^ m a. . _ _ ________________ — — — r ^ a a a a a _ _ _ _ _ _ _ _ 

RotSEiifl, lini|l {x}: tfr^xVQ RtHR m i^QShl^ (r) 
JiAJ,; W: Shifl-left of [he a^iWriL t hy j hits sind pactdlll£ lh* icfc by fl\> 

— v > : 



Example 12*6 

Show how Wflfl is made. 

Solution 

Each wort! in ih<; nuigc W| 6 to W J9 i^)ade. from four previously-made words. "W w is made 
Message Digest Initialization \^ 

The algorithm is^es eight constant for n<Ogf= digest initialization. Weed] these con- 
stants A Q to Hfl to match with the word na^Xrj used for the digest, 'fable 12.2 shows 
the value of these constants. 

" fa hlL J 1.2 Values of constants in message itf^g^ htUiftlizaiion of SHA -5 1\ 



_ 





Value fin hexadecimal) 




Vfctfuc fiH hexadecimal} 


A,j 


GA03IS667F3BCC90S 




M0E527FADE6&2D1 




H&57AES584CAA73B 




9B05G8EC2B3G6C!F 




3C6EF372EF94Ffl28 








A54F£53lk5FlD36Fl 




^S^OCDl9137E217 9 



The reader may wonder where these values come from. The values are calculated 
from the It rat eight prime numbers (2 n 3, 5 k 7, Hi 13. I7 t and 19). Each value is the frac- 
tion part of the square root of the corresponding prime number after converting to 
binary and keeping only the firs! 64 bits. For example, the eighlh prime is t'l with 
the square root (19) 1/2 = 4.35889S94354, Converting the number to binary with only 
64 hits in the fraction part, we get 

11 OO.OWi 10U HIO , . . 1001), -* (4-5BE0CDE9i:mz2l79}. fi 

SHA-5 12 keeps the fraction part T (5RFOCDE9l37E2179) Lfin as an unsigned integer. 




CHAPTER 1 2 CR YP'^uG f<A F ?IIC HASH ftttiCTtifttS 



4. 



Compression Function 

K HA- 5 12 create^)512-bit (eight 64-bit words) message digest from a multiple-block 
message where eaalt1)]ock is 1024 bits. The processing of cacti block of data in SHA- 
512 in vol veii SO roumlA, Figure 12,10 shows the general outline for the compression 
function. In each roin^dhe contents of eight previous buffers, one word from the 
expanded block (W-) n atfrLone 64-bit constant (K-) arc mixed together and then oper- 
ated cm to creaiy a new skMfeight buffers. At the beginnhg of processing, the values 
of the eight buffers are savtQvnto eight temporary variables. At the end of the process- 
ing (after step 19\ these v r ahY£j)iue added to the values created from sn^p 79. We call 
this last operation the final addin^,^ shown in the figure. 

2. 



Figure 12,10 Compression fiuiclivn M-J/2 








1 


f 






it 


V 










j 




r 






MIP| 

■ " : ti 






r J. . rt 




E 


is™* 






■ ■ ^ 













srkting 




Values :nr \\v:-. uf.\f i:kwk -, ir ihr : i ri-il Ui^e^L 



SECTION J2-2 SUA-511 373 



Structure of Each Rmnd 

each round, eight new values for the fr^bit bfitim are created from the values of ihe 
fers in the previous round. A* Fjgune 12. J S shows, six bulTers are the exact copies of 
ora^ the buffers in the previous round as shown below: 



0 ■ A ■■ > - B h c HWMH 

Twv new buffers h A and E, receive their inputs from some complex functions 
that involvt^mc of the previous buffers, the corresponding word for this round (W-), 
and die corrc^r^diiig constant for this round (K^ Figure 12,1! shows the structure of 
each round. 



r injure 12.11 Siruciurx&f each a W m JIM J 12 





!fi-isttSi 



(Sec below) 





Y 

1 > (Set below) 



7 r ~ — 

. 1 " 





F G 



nditLnnal 
F, G) 



Mixer 2 



o 



w. 



I 

Y 
(tip E) 



Majority (x t j, i> 



Rotate (x) 



[x AND?) @ (jAN[>;)0 (iANDjeJ | 8fliH lx 1x\ g) RutR J4 jx) 0 k<Mt Jv te\ j 



Conditional 

(■■e A N D ® (KQT j A N [> z) | FFI itWilion modulo 2 w 



fto/A; (jrt: Right-fTotatiOl] of lot aigunxnl x by i fails 



■ 




4. 



There are twojn"iixers n ihiee function^ and several operators. Each rmxcr combines 
two fijEicLioiis. The t^jription ofthe functions and operators follows: 

1. The Majority fun^an, as we call it, is a bitwise funciion. It takes three corre- 
sponding bits in ihYeeiHifTcrs (A h B> and C) and calculates 

ixfp&Bj}® (By AND Cj) © (CfANDAjj 

The resulting bit i$ the irfSftority of three bits, If two or three bits are l\ the resuk- 
ing bit if I; otherwise it 

2, The Conditional J unction* a^we call it, is also a bitwise function. It rakes three cor* 
responding bits in three- bufftsrs (IJ t R tind G) and calculates 

fk,- ANIH^ffi (NOT E ; AN D Gj) 

The resulting bit is the logic L Mf futen P JH else Gf. 
% The Rotate function, as we call it, S^ht-roiaicJi the three instances of the same 
buffer (A or E) and applies Lhe excliNtve-or operation on die results. 



Rotate (A): RbtK M (A) w 34(A) €0 KntIt M (A) 
Rotate (E): RolR^fl^ffl R^^iE) © RolR^CK) 
A. The right-rotation function, RotKjtx). Is tbe<«raW as. the one we used in the word- 



expansion process. It right-rotates its argumerU^Kbiis; it is actually a circular shitl- 
righi operation. 



5. 



The. addition operator used in lhe process Is addTtiojt^niodulo This means tliat 
die result of adding two or more buffers is always Un-bit word. 
6. There are HO constants, Kq IQ K-tg, each of 64 bi(^ a^tiown in Table 12,3 in hexa- 
decimal format (four in a row). Simitar lo the iniLial(v^Lues for the eight digest 
buffers, these values are eafccu Sated from the first SO prin^ umbers (2 P 3 409). 

Table 12.3 Ligttly constant.* urrdfur eighty rounds, m SHA-51'2 



42fiA2F93D72SAE22 
395-GC25BF 348B533 
D8O7AA9flJk3O30242 
72BE5D74F27EB9&F 
E49B&9C1&EF14M33 
2BE92C6F5?2B027 5 
9BJR5152E E 66DFAB 
C6E00BF3 jDAfi 8FC2 
7 7 B7 OAS 5 -1 6D 2 2FFC 

6 5 QA7 3 5 i &BAF 6 3DE 
A2HFER.A14CFL0364 

1 9 A4 Cl 1 6&HD2 DOCS 
39lCOCBac5C&SA6J 

7 4 fi F &2 EE 5 BE FB2 PC 
9 DBEFFFA2 3 * 3 1 E2 3 
CA27 3ECEBA2GS19C 
t> & Q 6 7 AA7 217-6 FBA 
2BDB77FS2 3047D3J 
4CCS D iBECB 3 E 4 2 B 6 



713744^12aEF6BCD 
59FI llFl B60S DO 19 
L2B35BOlflS , JO6F0S 
U QDEB 1FE 3B i 6 9 6 E3 3. 
EFBE47 3S334F25&3 
4 A7 4 B 4AA€ GAG K 4 B 3 
AS3LC6GB2DB4J210 
D-5A7914793CAA725 
2El&213g5C26C^26 
7GGAOABB3C77HZA8 
A8IA664B&C4330O], 
□69906245565*910 
1E376CQ95141JW53 
4 E B B JUL4 AE; 3 4 L a ACB 
7BA5^36F4il'?2F«Q 
44 5 Q &CE EDE B2 BDE4 
B1B6B&C7 21CQC2Q7 
0A6!37PC5A2^H?HIk& 
32CAAB7B4DC72393 
4597F29&CFCfi57E2 



^>cr!yKCKtJciD:m2F 

9 2 3FE 2 A4 AF 1 $ AF9B 
2431B5BE4EE4B2BC 
9BUC06J1l7 25C7123 5 
0 FC 1 9DC6 &BSCD5B 5 
5 CBOA&DCBD4 1 FBD4 
BO0327C893FB213F 
0&CAE3S1E0D382&F 
4d2C&DFC5AC42a£D 
fiL€2c92E47EtiAEE6 
C2 4BH B? O-D0FG 97 9 Jl 
F40E3535S771202A 

2 7 4 S7 7 4CDF 3EEB 9 9 
SB9CCA4F7763B37 3 
fi 4C B 7 B L4A1 F0 AB7 2 
BEF&A3f , 7B2C«7 9l5i 
f!ADA7 DPSCBEOEBlE. 
113 F4S04BE F 90DAE 

3 C 9-EB EO Al 5 C9 BEBC 
SFCB€FAB3AB6FASC 



DB A5 3 IS 9USBC 
AW^SEDS DA«t>B II* 
S5^C7DC3&5FFB4E^ 
C19BF174CF692G94 

2 IOC A 1CC7 7 ACS 5 
7 6^93&^«B31153BS 
SF 59 7 FC/BkEF0EE4 
X42^29^7^«^£E70 
&3380Dl3 9rf^B3DF 

92722CS514a2353B 
C7 6C51A3Q654BE30 
10&AA07Q32BBU1BS 
J 4 B OECB SEl 9B4 8 A& 
6 &2 E 6FF3-D6 B 2 B8 A3 
SCC7Q20i8lA6439l£C 
C67178F2E372532B 
FS 7 D4 F 7 FKB 6E& 1 7 fl 
1B710B.35131C471B 
431 D-67 C4 9C 1 00n4C 
6C^4l^&C4A4753n 



■ 



sticnortfzi smash $75 



Each value is the fraction pint ot the, cubic root of the corresponding prime number 
after converting it to binary and keeping only the first 64 bits. 1-or exarnpJc, the 
^ 80th prime is 409. with the cubic root (409) ljf3 = 7,4229 1 412044, Converting thi$ 
number to binary with only 64 bits in the fraction part, we get 

(>) (ni.01lOnOO{J]OOOlOO,..OU1) 2 -> (7,6C44l98C4A475ai7), 6 




■512 kuepa the fraction part. (6C44]y8C4A475ttl7j u -, as tin unsigned integer. 

Wc qpply thtf^fcajority function cm buffers A, B, and C IE" foe leftmost hexadecimal digits of these 
buffers are OjtXjkft, and CkE, respectively, wfifft is ihe leftmost digit of [he nssull? 

Solution 



The digits, in bman^ 0111, 1010, and 111 <>. 

■ L - Tire first bits x6j\ y U and 1 , The majority \& 1 . We caq ;tl.so prove it using the definition 
of the Miyoriry^uncti on: 

(0 AND<4)& (1 AND !>:■© "( VAN0 0) = 0 © V .©"0=1 

% The .second bits are I ,{S^nd 1. The noajority is I . 

c. The third bits sire 1 , L ai(S^ . TTte majority is L . 

d_ Thti fourth bits are 1,0, aniJO. The majority is D, 
The result is 11 I0 h or OxE in he#adecij 

Example 12,8 

We apply the Conditional function on ft, H^fld G buffers, if the leftmost hexadecimal digits of 
these buffers are tix% Ox A, and 0xF respect^lift what is the leftmost digit of the result? 

Solution ^\ 

The digits in binary are tQOl. 101 0\ and LIU. vO 

ii. Tlw first bits are 1 . 1 , and I . Since U| = 1, thQbsult is Pj, which is I . Wc can also use the 
definition of fte Option function to prove ^31; 

: (1;AKD I) 0* .(MOT 1 AND i) =A>® 0 = 1 



b. The second bits are [J, 0. and 1 . Since En is 0. the resmO* CJ>. which is t . 

c. The third bits are 0, I , and L Since % is 0, the result is^S^ which is i . 

d. The fourth bits are 1, 0, and I . Since E4 is I _ the result is F 4 , which is 0. 
I I ;u ii-siil! is II .ii. -:r !kri in h^xra:-:^ 1 



Analysis 

With a message digest of bits, SHA-51-2 expected tn be resistant to ail attach, 
including collision attacks. It has been claimed that this version's improved design 
makes it more efficient and more secure than the previous versions. However, more 
research and testing are needed to confirm this claim. 



i 

1PTEK 12 CR YPTQGgggHIC HASH FUNCTIONS 

4> 



123 WHII&^OOL 

Whirlpool is designed t^incent Rijmen and Paulo S. L M. Baireto, It is endorsed by 
the New European Schemes \'ar Signatures, Integrity, and Encryption (NESSIE). 

Whirlpool is an iterated cryptographic hash function, based on the Miyagudii-Frcneel 
scheme, thai uses a syinmetriucey block cipher in place of the compression function. 
The block cipher is a modifiNTAES cipher that -has been tailored for this purpose. 
Figure 12.12 shows the WhirlpcQCbash function 

v 

- — — v — 

Figure 12x12 Whirlpool hash JunLiion 



Odd multiple of £5G*bit h|*ck& 



i: 



256 biti 

4 




Message with padding and Icnglh field; mnlttpTe of 5 3 2-bit blucb 



512 bLLT 



5 12 bats 



AII(V* 



cipher 

■ i i , ■ r I u i 



5 [2 bit* 



Whirlpool 
cipher 

Encrypdao 



t5 




?6 



IE 




Message 
i litest 



Preparalvm % 

Before starting the hash algorithm* the message needs to be prepared for (^cessing. 
Whlrlpcml requires thai Lbc length of the original message be less than 2 as * bitO^ mes- 
sage heeds lt> be padded before being processed, The padding is a singEe I -bit flawed 
by the necessary number* of 0-bits to make the length of the padding an udd rnMiple 
of 256 bits. After padding, a block of 256 bits h added to define the length of the origi- 
nal message. Thia block is treated as an unsigned number. 

After padding and adding the length field, the augmented message size is an even 
multiple of 256 bits or a multiple of 512 bits. Whirlpool creates a digest of 512 bits 
from a mill tip So 51 2-bit block message. The 512-Wt digest, H 0 , is initialised to all Q\ 
This value becomes the cipher key for encrypting the first block. The ciphertcxt result- 
ing from encrypting each block becomes the cipher key for the next block after being 
cxcSusive-ored with the previous cipher key and the plaintext block "The message digest 
is the final 512-bit ciphertext after the last exchisive-or operation. 



S LCI ION 12.3 WHIRLPOOL 377 



Whirlpool Cipher 



The Whirlpool cipher is a non-Feisiel cipher like ALLS than was mainly designed as a 



' hWbck cipher to be usee' in a ha.sh :i]gorilbrn. Instead of giving Ltic whole description of 
^tls dphtr, we just assume thai the reader is familiar with AES from Chapter 7, Here, the 
\^)rkiooi cipher is compared with Uie AES cipher and their differences are mentioned. 

WhirLpdSjhis a round cipher Shat uses 10 rounds. The block size and key size are 512 bits. 
The dpn^uscs I I round keys, K 0 to K ]0r each of 512 bits, Figure 12 J 3 shows the 
general de^juyl'ihe Whirlpool cipher. 



Figure 1 2> 13 vr^rj^r^y LdtM rj/'drc WMrt/jflwl cipher 



9 




Whirlpool 



KoLir.cl keys 



j ^0 



i 



.! 



K, 



K 



10 



K 



Cipher key 
(512 bite) 



5 12-bic ciphcrteit 



v6 



o 



? 

Stales and Blocks » 

Like the AE5 cipher, the Whirlpool cipher uses st^Cefe sand blocks However, the size of 
the block or state is 5 12 bits. A block is considered (GT^i row matrix of 64 bytes; a. staEe 
is considered as a square matrix of 8 x ft bytes, Lblikfj^ES, the block-to-state or state- 
to-block frajisformatiori is done row by row. Figure 12TT14 shows the block, the state, 
and the transformation in the Whirlpool cipher. 



Structure of Each Round 

Figure 12. 15 shows the structure of each round. Each round u$es four transformations. 

SubRyLes Like in AES, SubBytcs provide a nonlinear transformation. A byte is rep- 
resented as two hexadecimal digits. The left digit defines the row and the right digit 
defines the column of the substitution (able. The two hexadecimal digits at the junction 
of the row and the column are the new byte. Figure 12.16 shows the idea. 



11 CR YFmM&J-H/C HASH I-VHCTfOfiiS 




Figure J 2. 14 lifot$ and .vale in Ike WhiHpoal cipher 



Block 



■ - - - * m m i 



















b 57 


v m m 























i" 



V"' 



ITMuJ H 







■""Hi,! 




s l s l 


S ],2 


%p 








ten 












\l 






%% 






^,1 





T 



*^JA 

Sl.T 



'.5 C^' 



l?l F^CJti-DLi iliIlI 



= s 



■ ■ ■ m 




■ — — - — ■ M. 


■ ■ M _ 


- 




T ■ ■ J Ln 


4 






■ ■ ■ 








1 J - 





J — 



1 <^ 

» * ' (j^^ - • 1 m m 



- 



3 



Figure 1 2,15 Structure nwfi ffei Whirfpavi cipher 



Slate 



- 



i 



ShiflColUHiii 



■■■ I mil 1 



1 f 

I 




I 



o 



o 



JRckiik3 key 



>i;i:c- 




SECTION 12 J WHIRLPOOL 37V 



Figure 12.16 Sub&ytcs itaft&fbrnmthn-t in the Whirlpool cipher 



x 

X 



Tfi 



uh 



IF. 






4 
































Fn Che SubByies tra^$Gnnatbn, the slate Is treated as an 8 x. 8 matrix of byte?;. 
Tntn^ftinirtcrtion is done one4>yLe at n Time: The contents of each byte are changed but 
ihc arrari£emcnE of the by tranche matrix remains she same. In ttie process, cadi byte 
is trans funned independentK\ we have 64 ciist LncL byte- to byte I run sform<M ions. 

lablc 12.4 shows the sti ton table (S-Box) for SubBytcs transformation, The 
Transformation definitely provide^ contusion effect. For example, two bytes. 5A|$ and 
5B ]6 . which differ only m one bit fom right must bil) n are transformed to and ^S !6 , 
w ttich di I'lW i n li ve hi (s , ^> 

Tabic 12.4 mmxformation iablQ)[-Bo.x} 





0 


/ 


2 


3 


4 1 


5 


6 J 


K 




0 


A 




€ 


D 


E 


F 




18 




C6 


ES 


£7 


BS 


01 


IE? 




Aft 


D2 


m 


79 


hV 


99 


52 


I 


16 


BC 


9B 


SB 


A3 


oc 


7B 






EG 


D7 


C2 


2E 


4B 


FE 


57 


2 


15 


77 


a? 


F-5 


9F 


FO 


4A 


CA 


in 


cy 


2 y 


OA 


El 


AO 


6B 


S5 


3 


BD 


5D 


10 


F4 


CB 


3E 


05 


&7 




27 


41 


3B 


A 7 


7D 


95 


CS 


4 


FB 


EF 


7C 


66 

i 


DD 


17 


47 


9E 


CA 


•2D 


BF 


07 


AD 


5 A 


S3 


33 




63 


02 


AA 


71 




19 


49 


C9 


H 




5B 




9A 


26 


32 


RO 


6 


E9 


OP 


D5 


til) 


BE 


CD 


34 


4& 


FF 






5F 


20 


68 


LA 


A£ 


7 


B4 




§a 


22 


54 


Ft 


73 


1 J2 


40 


(1* 


l <<f ' 


EC 


DB 


AI 




3D 




07 


m 


CF 


2B ' 


76 


B2 


D6 


in 


B5 


AF 


6A 


50 


45 


S3 




EF 




3h 


55 


A3 


HA 


65 


BA 


2F 


CO 


LIE- 




FD 


4D 


92 


75 


06 


8A 


A 


S2 


E6 


0E 


IF 


ri2 


D4 




95 


F9 


C5 


25 


■59 


S4 


72 


39 


4C 


& 


SH 


78 




SC 


CI 


A5 


r.;:. 


fit 1 


B3 


21 


9C 


IE 


43 


C7 


1 FC 


m 


C 


51 




GD 


0D 


FA 


1 DF 


7E 


24 


3B 


AH 


CE 


1 1 


SF 


4R 


B7 


EB 


D 


3C 


IS 1 


34 


F? 


9B 


13 


2C 


D3 


E7 


6E 


C4 


03 


56 


44 


7E 


A9 


E 


2A 


BE 


CI 


53 


DC 


0B 


9D 


tfC 


31 


74 


Fft 


46 


AC 


39 


M 


bl 


F 




3A 


69 


09 


70 


B6 


CO 


ED 


CC 


42 


9ft 


A4 


pa 


5C 




M 



MPTER 12 CRYPlifeRAPHlC HASH FUNCTIONS 

% 

The entnes^Tabie 1Z.4 can be calculated algebraically using die GF(2 4 ) field 
with iJie inetiucibte polynomials {x A + x+ t) as shown in Figure 12,17, Each hexadeci- 
mal digit in a byte i^feinpul to a mini box (fi and E" ] ). The results are fed into another 
minibox r R. The R b«ras calculate the exponential of input hexadecimal; Lhe R box 
uses a pseudorandom n^l^jer ^encrauir, 




The k 1 box Is just the inver^of the E box where the roles of input and output are 
changed. The input/output values for^uoxes are also tabulated in Mgure 12 [1 

^ 

Figure 12.17 SubByfes in the WhirlpoaTti^r 



□ l a 2 a 3 a 4 



n 



O..UU. 



— +f« 




o 



+ TTT 

C, Ci Cj c* 



E" 1 

jttt 

d, dn d. 



Input 


0 


1 


z 


3 


4^3 ■■ 


".6 . 


7- 


3 


9 


.-A' 


B 


>•€. 


!3 


F 


Ouipul 


1 


ft 


9 


C 


D 6 


F 








7 


4 


A 




































InpkiL 




1 


2 


; 


4 5. 










Mi 


B - 






B F 


Outpul 


F 


a 


D 


7 


B E 




A 






c 


1 


3 


4 


8 6 
































TcLpuL 


0 




2 


% 






7- 


s 


]9 




B 




:D'- 


'E ■ 'P 


Outpui 


7 


c 


B 


D 


E 4 


9 


F 


G 


3 


I 


A 


> 


5 


1 0 



O 

K : hex O. 
R hoi 



Shift Column To provide permutation, Whirlpool uses the ShiftCohjmns transforms 
tion r which is similar to the ShifiRows transformation in AES h except that the columns 
instead of rows arc shifted. Shifting depends on the position of die column. Column 0 
goes through 0-byte shifting (nc> shifting), while column 7 goes through 7-byte shifting. 
Figure 12. IK shows the shifting transformation. 



SUCTION 12.3 WtfWUVOL 381 



fi 



i^ure 12,18 ShtfiColuMftX IrdnJifufmiitirrn m J^r^ Whirlpool cipher 






MixRows The MbcRom formation has the same effect as the MixCoJunins 
trans formation in AESr it diffuses he bits. The MixRows transformation is a matrix 
transformation where bytes axe mterorieted as tt-bk words (or poly rkiini til k) with coeffi- 
cients in GF{2), Mnkiplication of Hytes is done in GF(2 a > F but the modulus is different 
from the one used in A11&. r ITie Wbirfp 
as the modulus* Addition is the same 
MixRows transformation. 




cipher uses (0x1 ID) or (j^+j^-hr^-H -h i) 
^ ORing of 8-bil words, l-'igurt 12.1*? shows the 

a 



Flgtirt 12.19 MixRifWs irtin.ifvrFTuititm in th^^lf!pw>l ciphw 



*3 



MLIaJJ.: -- Uc.LU-!:-U X 



0 



1 — \ 

J — 1 






O 

(1)0L 01 04 TjE OS 05 02 09' 
^0! 01 04 01 OE 05 02 
*Sim 01 03 04 01 08 i?5 
05 02 09 0] 01 04 01 03 
Oft 05 02 W OS 01 04 ox 

oi os 05 m w oi 01 04 

04 01 OS 05 02 09 01 01 
01 04 01 08 05 02 09 01 
CunsLitiL rruiiris 



figure shows multiplication of a single row by the constant matrix; the mul- 
ication can actually be done by multiplying the whole state by the constant 



CHAPTER 1 2 CR Y&hpRA &ffi€ HASH FUNCTK)NS 

\ 

ivuunv N ok- Trial !i> the loj! slant rnnviix, cacti row \\, the ; irri: : .nr rfghl *-iir'i of ib. : 
previous row. • 

AddttountiKey 4^ Add Round Key transformation in the Whirlpool cipher is done 
hytc hy byte b beeaulS^Kich round key is also a £t£tq of an ft x 8 mnirix , Figure 12.20 
8 hows [he process. Am&£ from the data state is added, in G0f$) field to the com;- 



Figure 12.21) ArhlRoundKev tfaxsfarm^m in the Whirlpool cipher 

^ 



AdflRmimlKf.y 
















































































T 






































I poo I is totally different 
r creating round keys, 
pre-round) to create 
lull is the round key 



Key Expansion 

As E ; igurc 12,2] shows, the key-expansion algorithm in 
from die algorithm in ARS. Instead of using, a new algon 
Whirlpool uses a copy of the encryption algorithm (wiJhou 
the round keys. The output of each round in the encryption a 

tm that round. At first glance, this looks like a circular disfinilioiQ^hefll do the round 
keys for the key expansion algorithm come front? Whirlpool has ej^ntly solved this 
f.i ruble m hy using ten round constants [RCs) as the virtual round keys for the key- 
expansion algorithm. In otter. Worts, the key-^pan.ion ilgoridim ^constants as 
the round keys and the encryption algorithm uses the output of each roWhjf the kcy- 
cxpansion algorithm as ihe round keys. Hie key-generation algorithm rrekwfte cipher 
key as ihe plaintext and encrypts it. Note that the cipher key is aiso v i^for the 
[S ncry ptio n a Igori thm , 

Round Constants Each round constant, RC r is an 8 x 8 matrix where only the first 
row has no n -zero values. The rest of the entries are all Q*s. The values for the first 
row in each constant matriK can be calculated using the SnbBv tea I rans formation 
(Table 12.4). 



^Qowsl[ f 9 w ^ column J - SubByMss (8(round - I) £ cpEutdii)'- 
Rt -nwiii ["W column J = if rott ^ 0 ' 



r ■ 

if row — 0 



SECTION !2J WHIRLPOOL 383 



1" ijiure 1 2.21 Key vjpunfhn fn the Whirtpvitf cipher 



z-fc 




i 



ShiftOlumfts 



V I 












£3lif[Culu±nn5 















_ 



Cipher lu-y 

-4 



K. 



l 



* 


I 


iubftyLc 



-;- 



S-h i FiCoLu mnfi 



- -T RC 



SubByCc 



S hiftC-plumnE; 



I 



Cipllper1cjE[ 



I^C Mh 



o 

In other wotdfc, RC^ uses the fii^t eight eiiinp^in the Sub Bytes transformation table 
[Table 12.41; R.C 2 uses The second eight enbriesSand so on. Ftsr example h Figure 12.22 
shows RC3, where [he first row is the third eight crttri.es in the SubBvies tabic 

O 

—9- 



I 4 inline 1 2 r 22 Round aifuiuni fnr the. third round 



RC, = 



ir> 


E0 


D7 


Cl 


2K 


ivx 




57 






00 


00 


00 


IX 1 


00 


m 








00 


00 


LXJ 




w 


oo 




00 


no 


00 


00 


00 


00 


no 


m 


00 


uo 


1 X 1 


DO 


00 


i>:i 




GO 


00 


no 


00 


00 


00 


1X1 


00 


DO 


00 


IX] 


00 


m 


■y. 


1X1 


00 


00 


m 


00 


m 


m 


00 





7! A PTER 1 2 CR Yi^^A PH1C HA SH FUNCTIONS 
c ^ 

Summary 

Tabic 12,5 suimna^s some characteristics of the Whirlpool cipher. 

Table 12S M^t characteristics of the Whirlpool cip)i&r 
Rhjcksize: 512 



Cipher key siae; StflHfiits 
Number DJ'jtoicsitk: 



Key expansion: u.sing ■her itse]f wiih rsnrnd constants 4$ round keys 



Subsntmion; Sub-Bytes iraaCTqrgiHiioji 



PermuiQTEou: -ShiliCoLumiifi rartsformadon 




Mixing: MixRows taroqL 

Round Consfstni; cubic roots of the JJist eighty prime numbers 



Analysis 

Alihough Whirlpool has not beers extensive^^udied or tested, it is based on a robust 
scheme (Miyaguchi-Prene-el), arid fur a cornprWsion function, uses a cipher that is 
based on AES T a cry prosy stern that has been pr^vfsd very resistant lo attacks. In addi- 
tion, the size oi" the message digest is the same as f^)pH A-51 2. Therefore it is expected 
lo be a very strong cryptographic hash function. However, more testing and researches 
are needed to confirm this. The only concern is mJljaAirlpool, which is based on a 
cipher as (he compression function, may not be as effiaenjf 'as SHA-512. particularly 
when iL is implemented in hardware. \^ 

o 

— — — 

12,4 RECOMMENDED READING \$> 

For more details about subjects discussed in tbia chapter, we reStaWnd the following 
books and websites. The items enclosed in brackets refer to the ref^hee list at die end 
of the book. 

Books • _ 

O 

Several books gave a good coverage of cryptographic hash functions, incluUmf; [StH)6], 
[5ta06], [Sch99] t [Mao04J n [KPS02], [PHS03], £md JMOV97], \^ 

WebSites 

The following websites give more information about topics discussed in this chapter, 



://wWw.u.n 



hup:// wWw r u 11 ix wiz. net/tee li dp^^idfi^ry pto-hashes ,hEml 
hup7/wjivw.faq*,orj^rfc^c4231 .hu-ul 
httpsflwyrw-itJ .ni st.£ov/fi]>spiubs/fip 1 80- 1 -htm 
h rrp -M www.ietf.grg/rfc/rfc3 1 74. la l 
help tf/p^i nfls_terrq.CQici.br/infa™ 



SECltUN I2.t> SUMMARY 385 



•12^5 KEY TERMS 

Atftf^oundKey 
eontfnf^ssion function 



DjjvicY^eyer scheme 
HAVAL(^) 

tended en^t)>grapbsc hash function 
Matyas-Mey<e1^pseas scheme 
MD2 \>' 
MD4 \A 
MD5 ^ 

Merkle-Damgard sdWfte 
Message Digest (MD)^ # 
Mix Rows ^ 
Miyaj^chi-Prenecl scheme. 
New European Schemes for\ig(i»ujrcs. 

Integrity, and Encryption fNfJ^EE) 
Rabin scheme 



RACE Integrity Primitives Eva bur inn 

Message Digest (RIPMED) 
RIPHMD-160 

Secure Hash Algorithm (SHA) 

Secure Hash Standard (SHS) 

SHA-1 

SHA-224 

SHA-25G 

SHA-384 

3HA-512 

Shit [Columns 

SubBytes 

Whirlpool cipher 

Whirlpool cryptographic hash function 
word expansion 



12.6 SUMMARY 



□ 



o 

LsrcrifciiLc a 



J 



J 



J 



□ 



All cryptographic hash func lions musrere^Lc a fixed-size digest out of a van able ■ 
si?,e message. Creating such a functioirfeAest accomplished using; iteration, A 
compression function is repeatedly usefMj> create the digest. The scheme is 
referred m as an iterated hush I unction. O 

The Merkle^Damgard scheme is an iterated(cr>-pLographic hash function that 
is collision resistant if the compression function *s collision resistant The Mcrklc- 
Daingard scheme is the basis, for many crypbDgnipl^^a.sh functions today. 
There is a tendency to use two different approaches (TfrvJesigning the compression 
function, In the first approach, (he compression functiqirts made from scratch: it is- 
particuiarly designed for this purpose. In the second Approach, a symmetric-key 
block cipher serves instead of a compression function. 

A set of cryptographic hash functions uses compression functions that are made 
from scratch, These compression functions arc specifically designed for the pur- 
pose they serve. Some examples arc the Message Digest (MB) group, the Secure 
Hash Algorithm (SHA) group, RIPEMD, and HAVAL. 

An iterated cryptographic hash function cnu List a symmetric-key block cipher 
instead of a compression function. Several schemes for this approach have been 
proposed, including the Rabin scheme, Davics-Mcyer scheme, Matyas-Meycr- 
Oseas scheme, and Miyaguchi-Preneel scheme. 



CHAPTER 12 Oi YngVRA 1>MC HA Sit FUNCTIONS 

□ One of iteprornisiftg cryptographic hash Functions is SHA-S12 with a 512-bit 
message digesLbnscd Of) the Merkle Damgarrl scheme. It is made from scratch tor 
this purpose AJ> 

□ Another promiQg. cryptographic hash function is Whirlpool, which is endorsed 
by NE5S1E. WhC^Jpop! is an iterated cryptographic hash function, based on the 
Miy;>guehi-Prenec*rj£beine. that uses a symmetric-key block cipher in placfl of 
the compression fuii^Jn. The block cipher is a modified AES cipher tailored for 
this purpose. 




12.7 PRACTICE S^T 

Review Questions v ^ 

1 , Dc I i ne I c ry ptograph ic hash f u ncLilgi. 

2, De tm an iterated cryptographic RsikI^ fonctioiJ . 

3, Describe the idea of the Mcrkfcc-Ddrnurd scheme and why this idea is so impor- 



tant for the design of a cryptngraphi^i^Ji function. 

4. Use some Stilly of hash functions ttMk not use a cipher as Lbe compression 
function. \ 

5. List some schemes that have been designe^b use a block cipher & the compres- 
sion function. • 

6. List the main feature* of the SHA-5 1 2 cry pLO^hlc bash function. What kind of 
co m p res si on ftmction is used in SHA-5 1 2? s > 

7. List some features of the Whirlpool cryptograph^ ash function. What kind of 
compression function is used in Whirlpool? r\ 

& Compare and contrast features of SHA-5 12 and Wttpool cryptographic hash 
[functions. 

Exercises q 

ft i n SHA-5 12, .show the value of the ten#h Held in he*adeciro^ for (he following 



message lengths: 

a. 10(H) bits 
b f 10,000 biLt 

c. 1000,000 bite v£l 

10. In Whirlpool show the value of the length field in hexadecimal for ftp following 
mess age lengths: 

a P 1000 bits 

b. 10.000 bits 

c. 1 000,000 bits 

1 1 , What is the pudding for SHA-5 12 if the length of the message is: 
:j. 5 120 bits 

b. 5\2 \ biis 

c, 6143 bits 



^ SECTION 12.7 FRACriCESET 3S7 



it. 



I. WliaL S^i the padding for Whirlpool if ihe length oi the message is: 
5120 bus 



t^2i bits 

c-*f&43 bits 



13. In ea^ri" Ehe following cases, siow that if two message are the same, their last 
biockgrfre also the same (after padding am] adding the length fie Ed): 

a. The KmiiunetSon is SHA-512. 

b. The haWjuncrion is Whirlpool. 

14. Calculate GtflrwEable 12.2 using ihe ievcnih prime (17). 

15. Compare the tajwrcssion function of SHA-512 without the V^i operation (final 
adding) with a cipher of 80 rounds. Show ihe similarities and differences. 

16. The compression KL^on used in SHA-512 11,10) can be thought of PS ail 
encrypting cipher wktiV) # round£. If the words, W 0 to W 79l are thought of as rou nd 
keys, which one of thyicheroes described in this chapter [Rabin , Bavics -Meyer* 
Maty a.^ Meyer Oseas. n^lft iy aguehi-Prenecl) does it resemble? Hint: Think about 
the effect of the fmul addit^ppctttinn. 

17. Show that SHA-512 h subj^ It) meet-in-Lhe middle attack tf the jS rial adding 
operation is removed from ihe/s^iiprcssion function. 

I U- Make a table similar to Tah]e I 15 to compare AHS and Whirlpool. 

19. Show that the third operation doe^/lftt need to be removed from the tentb round m 
Whirlpool eiphei, hut i\ must be rem^tf ui the AES cipher. 

20. Fi nd the res u It of Rot R E 2 (x) if 

.jt= 1234 567 8 ABCD 2345*M^j4 5678 ABCD 2468 

2 1 . Find the result of ShJ J]2 (x) if v - > ^ 

*^ 1234 5678 ABCD 2345 345^(^78 ABCD 20 

22. Find the result of Rotated) if O 

x = 1234 5fi7S ABCD 2345 34564 5f^$ABCD 246$ 

21 Find tbe result of Conditional (a, $ z) if * ^ 

jt= 1234 5678 ABCD 2345 34564 5fd7» AB^D^MH 
.y = 2234 5678 ABCD 2345 34564 567* ABC0^8 
$ = 3234 5678 ABCD 2345 34564 567S ABCD 2468 

24. Find the- result of Majority fx y, z) if 

% = 1234 5m ABCD 2345 34564 567tf ABCD 246ft 
v = 2234 567 & ABCD 2345 34564 5678 ABCD 246S 
x = 3234 5678 ABCD 2345 34564 567? ABCD 2468 

25. Write a routine (in pseudocode) to calculate RotR/x) ha SHA-512 (Figure 12,9), 

26. Write a routine (in pseudocode) to calculate ShL^x) in SHA-512 (Figure 12.9). 



CHAPTER 12 CRN 



27. 




l RA PHIC HA SH FUNCTIONS 



2*. 
29, 
30. 

31. 

32. 



33. 
34. 

95. 

37. 
38. 

40. 
41. 

42. 
43. 
44, 



45. 



46, 



47. 



Write a ftfMiie (in pseudocode) for the Conditional function in SHA-512 
(Figure 1 2d ]). 

Write a routii^i^T^eijdocode) for the Majority function in SHA-512 (Figure J 2 A 1 ). 

Write a routine^ pseudocode) for the Rotate function in SHA-512 (Figure 12.1 1), 

Write a routine (G^sgudooode) Lo calculate the initial, digest (values of to Hri) 
in SHA-512 {Tablevp2). 

Wri:«.: a routine (in ^iiuocodei Lo ^-kcuImec rhr eight) consent-, in SHA-512 
(Table 1 2.3). ^ 

Write a routine (in pseu^ode) for word^expansion algorithm in SHA-512 m 

shown in Figure 12,9. Cou^adpHwo cases: 

a, Using an array of 80 cleirtepte to hold all words 

h Using an array of 16 elements Jo hold only 16 words at a time 

Write a routine fin pseudocode) Ttirjbe compression function in SHA-512. 

Write a routine (in pseudocode) tb change a block of 512 bits to an 8 x 8 state 
matrix (Figure 12.4), \ 

Write a routine (in pseudocode} lo chbsw an 8 x S state matrix to a block of 512 
hit* (Figure 12.4). O 

Write a routine fin pseudoctidc) for the SiX^ytcs transformation in the Whirlpool 
u ipher (Figure. 1 2. 1 6). 

Write a routine (in pseudocode) for the ShiftCr^umns Transformation in the Whirl- 
pool cipbe r (Figure 12. IS), 

Write a routine (in pseudocode) for the MixRows preformation in the Whirlpool 
cipher (Figure 1 2, 1 9). \ 

Write a routine (in pseudocode) for the AddRoura 
Whirlpool cipher (Figure 1 2.20). 

Write a routine (in pseudocode) for key expansion in WhirlftSVcipher (Figure 12.21 }. 

Write a routine (in pseudocode) to create the round coKsQts in the Whirlpool 
cipher (Figure 12.20). O 

Write a routine (in pseudocode) for the Whirlpool cipher. 
Write a routine (in pseudocode) for the Whirlpool cryptographic testi function. 
Use Lhe Tmemet (or other available resources) to find inforrnation(a^oiit SHA-U 
Then compare the compression function in SUA ) with thai in SHA-5(T2) What ate 
the similarities? What are the differences? 

Use the Internet (or other available resources) to lint! information about tKe follow- 
ing compression functions, and compare them with SHA-512. 
a. SUA -224 
h. SHA-256 
c. SHA-384 

Use the Internet (or other available resources) to find information about R1PEMD. 
and compare it with SHA-512. 

Use the Internet (or other available resources) to find in formation about HAVAL 
and compare it with SHA-512. 




transformation in thu 



■ 



Di$tal Signature 

Objectives^/ 

This chapter has ^feral objectives: 

□ To dc fi j ic a d i g ft^ s ignatu rc 

□ To define seeurit^CsejYiees provided by a digital signature 

□ To define attacks ofv^gital signatures 

□ To discuss some digiiaLsignarnre schemes, including RSA, ElGamal, 
Scbnorr, DSS, and elliptic curve 

□ To describe some applidktj^ns of digital signatures 

We are all familiar with the cm&ept of a signature, A person signs a 
document to show thai il originatotkfrom her or was approved by her. The 
signature is proof to the recipiciTv-that the document comes from the 
correct entity. When a customer sig^ra cheek, the bank needs to be sure 
that die check is issued by that customekand nobody else. In other words, 
a signature on a document, when verifiMris a sign of authentication — the 
document is authentic. Consider a paintirr^jgned by an artist. The signa- 
ture on the art s if authentic, means that the painting is probably authentic. 

When Alice sends a message to Bob, Bdbjieeds to cheek Lhe auLhcn- 
ticity of the sender; he needs to be sure tha> the message comes from 
Alice and not Eve, Bob can ask Alice to sign tWmessage electronically. 
In other words, an electronic signaLure can prt$?e the authenticity of 
Alice as the sender ol" the message. We refer to this type ot sip nature as a 
digital signature* 

In tli is chapter, we first introduce some issuer related to digital signa- 
tures and then we walk through different digital signature schemes. 



3»s 



7//,4 Fi tt/f 13 DfGimLsiGNA TURE 




13.1 COMPARISON 




Let lls begin by looT^Htf at the differences between conventional signatures and digital 
signatures, v v 

[rid us ion \) 

A conventional signature iiN^uded in the document; it is part of the document. When 
we write a check, the signatuQ^on ihe check; it iss not a separate documeriL But when 
we sign a document digitally, tfpend the signature as a separate document. The sender 
sends two documents; the ruessa^nd the signature. The recipient receives boih docu- 
ments and verifies thaL the signature! on gs to the supposed sender. IT this is proven;, 
the message is kepi; otherwise, it is If^j^ted. 

Verification Method 

The second difference between the Ewo ty^s^f signatures is the method of verifying the 
signature. For a conventional signature, wheiKt^rccipient receive* a document she com- 
pares Che signature on [he document with [he £^aturc on file. If dicy are the same, the 
document is authentic. The recipient needs to a copy of this signature on ftte for 
comparison. For a digital signature, the recipient reaves the message and the signature. 
A copy of the signature is not stored anywhere. The recipient needs to apply a verification 
technique to the combination of tile message and the s^gntfure to verity the authenticity,, 




Relationship 

For a conventional signature, there is normally a one-to-maiiyQ ationsMp between a signa- 
ture and document A person uses the same signature to sign documents > For a digi- 
tal signature, diere is. a one-to-one relationship between a signat^ and a message. Each 
message has its own signature. The signature of one message usW* be used in another 
message. If Bob receives hvo messages, one after another, from AhcLhe cannot use the 
signature of the first message to verify the second. Each message iieedWjsew signature. 



Duplicity # 

Another difference between the two types of signatures is a quality caJleOdJttJic^. In 
conventional signature, a copy of the signed document can be dssunguishS^m the 
onginal one on file, In digital signature, there is no such distinction unlcss^fmre is a 
factor of time (such as a timestamp) on the document. l ? or example, suppose Alice 
sends a document instructing Bob to pay Eve. If Rve intercepts the document and the 
signature, she can replay it later to get money again from Bob. 



13.2 PROCESS 

Figure 111 shows the digital signature process. The sender uses a signing algorithm 
to sign the message. The message and the signature are sent to the receiver, The 
receivei- receives the menage and the signature and applies the verifying algorithm 



SECTION 13.2 PROCESS 391 



the com bin at a oil. If the result is irue h the message is accepted; otherwise, it is 
rejected. 



Fi gyrr e I J . L Diqiiol s i ^nature process 




M; Message 
S: S'j'n* lure 



i 



i 

i 



Verify ing 



Need foi 

A conventional signature^ like a private "key*" belonging to the signer of the docu- 
ment. The signer uses jl to documents; no one eSse has this signature. The copy of 
the si:ii:s:ni;m :■: or hie like n iwitfvc k^} : <\i:.yo:K' -r:un ilm: ii to vculy ;i document, to com- 
pare it Eo the original signature 



In a digital signature, the signer uses her private key, applied to a signing algo- 
rithm, to sign the- document. The Verifier* on the other hand, uses the public key of the 
signer, applied to the verify ing algoQ^ni, to verify the document, 

We can add the private and publiuJicys to Figure 13.1 to give a more complete con- 
cept of digital signature (see Figure l3_2flnNote thai when a document is signed* anyone, 
including l3ob., can verify it bccauM^ cveryojflihaa access to Alice public key. Alice must 
nol usu I icr pubjic key to sign the doconttftU^e MM^fid ^ 



Figure 13.2 Adding key to the digiml signature pr< 



Alice 



i 



i :c ':- 



priViHe kuy 



M: MesMfie 



Siting 
alrnrilhm 



------- 

M 



(M, S) 




Can yvc use a secret (symmetric) key to both sign and verify a signature? The 
answer is negative for several reasons. First, a secret key is known by only two entities 
f Ahce and Rob, for example). So if Alice needs to sign another document and send it to 
led, she needs to ui*e another secret key. Second, as we will see n creating a secret key 
for a session involves audientication. which uses a digital signature. We have a vicious 



iird, Bob a 



cycle. Third p Bob could use the secret key between himself and Alice, sigjci a document, 
send it toTed n and^r^end that i t. came from Alice. 

^^i^ital signatiirt- needs a piihtic-key system 
The signer .signs with private key; th€ verifier verifies with the sigijEr's public key. 

We ^lionlti iii:ik-L: m Ji^ticlluii between private and public teys as used in digital 
signatures and public and p(^ate keys as used in a crypiHsyslem for confidentiality. In 
the Satter B the private and publ{S^eys of the receiver are used in the process. The sender 
uses die public key of the recci^c^ to encrypt; the receiver uses his own private key to 
decrypt. In a digital signature, tfte gcivate and public keys of the gender are used. The 
render uses her private key; the refte^r uses the sender's public ki-v. 



A fr}-ptoqystcm uses the private and nji^Jic keys nf the receiver: a digital signature uses 
the private and p^lie keys of the sender. 



Signing the Digest 

In Chapter 10, we learned that the asyrtunemc>key cryptosy Stems are very inefficient 
when dealing with long messages. In a digiuf^natiire system^ the messages are nor- 
mally long, but we have to use asymmetric -key sQicmes, lite solution is to sign a digest 
of the message, which is much shorter than the me^ge. As we learned in Chapter 11, a 
careful \y selected message digest has a one-to-one relationship with the message- The 
sender can sign the message digest and the receiver cap^erify the message digest. The 
effect is the same. Figure 1 3,3 shows signing: a. digest inWii^st al signature system. 

Ki rp l 1 re 1 3.3 the digt'sl 



AIlll: 




Alice's ! 



Hash 



Message 
S: Signature 



S 



O 

I 4 Lice's- 
1 public tcy 



m 






— 


- 11 








: 


























m 






A digest is made out of the message at Alice's site. The digest then goes through die 
signing process using Alice's private key. Alice then sends die message and the signature to 
Boh. As we will see later in this chapter, there are. variations in the process that are depen- 
dent on the system. Far example, there might be additional calculations before the digest is 
made, or other secrets might be used. Tn some systems, the signature is a set of values. 

At Bob's siie a using the same public hash function, a digest is first created out of 
the received message. Calculations are done on the signature and the digest. The vcri ly- 
ing proo.'s^ also implies criteria. \m the result of the calculation to determine the authen- 
ticity of the signature. If authentic, the message is accepted; otherwise, it is rejected. 



SECnONiSJ SERVICES 393 



£ 

133 SERVICES 

ssed several security Services in Chapter 1 including meA-xage confidentiality, mes- 
sage qp&hentir.titum, message integrity and nanrcpudiativn, A digital Signftlurie can directly 
provldi^^J^st threes for message confidentiality E still need encryption/decryption. 



M essagi^jj tta « nticat ion 

A secure etigittSTjiignature $cheme. like ; : i secure eonventiona] signature (one Lhm cannot be 
easily copied) u^tsiprovide message authentication (also referred to as data-origin authenti- 
cation). Bob can*tfcafj' diat liie message is sent by Alice because Alices public key is used 
in veriiicatiom A public key cannot verity the signature signed by Eve's private key. 



A i^i ^taj signature ptuvidtis mresflfie authentication. 



Message Integrity 

The integrity of lite message preserved even if we sign the whose message because 
we cannot get the same sigtferfirfi if the message is changed, The digital signature' 
schemes today use a hash ftmcti^inn the signing and verifying algorithms thai preserve 
the i nlegrity of the message . 

A digital xignatij^e^rovldts message Siilcgrity, 



7 

N on repudiation x q 

If Alice signs a message and then denies i(C£an Bob later prove that Alice actually 
signed it? For example, if Alice sends a nifesSaf to a hank (Hob) and usks to transfer 
510,000 from her account to Ted's account, eaV^dice later deny ihat she sent this mes- 
sage? With the scheme we have presented SC tSrSrfcib might have a problem. Rob must 
keep the signature on file and later use Alice's pubOkcy to create the original message 
to pnive the message in the file and the newly create^Xiessage are the same, This is not 
feasible because Alice may have changed her private oj public key during this time; she 
may also claim that the file containing the signature is noHiuthcnlic. 

One solution is a trusted third party. People can creffiun established trusted party 
among themselves. Ji: w/.atj. chapters, v-c '-vilJ sec \\r.v c- iW/.fd pnr'tv can solv* m;tny 
other problems curiLerning security services and key ex changip Figure 13.4 shows how 
a trusted party can prevent Alice from denying that she- sent the message, 

Alice creates a- signature from her message (S A ) and sends the message, her iden- 
tity, Bob's identity, and the signature to the center. The center, after checking that 
Alice's public key is valid, verities through Alice's public key that the message came 
from Alice, The center then £avcs a copy of the message witii die sender identity, recip- 
ient identity, and a timestamp in its archive, The center uses its private key to create 
another signature (St) from the message. The center then sends the message, the new 
signature, Alice's identity, and Bob's identity to Bob, Bob verifies the message using 
the public key of the trusted center. 



CHAPTER 13 DIGmtSiGNA TURK 

i . 

1 i^iire 13.4 U^?i$ a trusted center fur nnn repudiation 



M 



dp Akcc's 



Bob 



■ — ~" i ■ ■ m m m ^ ^ 



y. 



algoriEliri I 



ij- private Jusy *;/T\ A " fc - 

i^V S^: ALict's sisnalucc 

! (^$T S^pS&ife Of I nisi led oen!cr 

Trusted center 

Alice's^ M 
puMit; fcey^j\ 



; Public key of * ^ 
; iTTi5ic4cjCTiccr / 



Verifying 
■ p*1 JilgoritTim 
■-i_J_J 




Private key. of 
fruited ceiLLcr 



Veri fyinj; 
algorithm 



\ A * J Signing 



£5: 



* ■ ■ ■ 



CM, S T 1 



If in the future Alice denies chat she sent the^nessage, the center can show a copy 
l>1 the saved message. If Bob's message is a dupliiaaie or the message saved at the cen- 
ter, Alice will lose the dispute. To make every thidytonfideiitial, ft ievel of enciyption/ 
decryption can be added to (he scheme, as diseus-sciPin^c naxt seci.km. 

Nunrepn diction en ti lm provided ^ptfsEed parry. 

" — 

Confidentiality 

A digital signature does noL provide confidential conimuiucatiJk If confidentiality is 
required K the message and the signature must be encrypted uisivg^ejLher a secret-key or 



public-key cry piosy stem. Figure 13.J shows how ihis c*tra level CJrfTbe added to a sim- 
ple digital signature scheme, . 



.■igun; 13h5 Adding confidentiality w a digital signature ttrfiam* 



9 



M 

i 



algorithm 



private fccy 



r 



M: Message 
S; Signature 



Encryption I t 1 r . , 

J 41 pubkc kc 



li 1 

public fcey , 




Verifying 
algorithm 



private tey If*" 



Encryption 



j 



■ — — — - - J 



Encrypted (M, 



SECTION 13.4 A TTA CKS ON DIGITAL SIGNA TURE 395 

% 

We have shown asymmetric-key encryption/decryption just to emphasjje the type of 
• keys used at each end. Encryption/decryption can also be done with a symmetric key. 



A digital signature does nut provide privacy. 
*nKfire is a need for privacy another IrjvLr of iiiirrvptioriAUTrvptiun must be applied. 



13.4 ATTACKS ON DIGITAL SIGNATURE 

This section ^if^mbes some attacks on digital signatures and defines the types of forgery. 

Attack Typti?^) 

We will look on jinds of attacks on digital signatures: key-only, known-message, 
and chosen -message.^ 

Key-Only Attack ^ 

In the key-qnly attack, F<£e>has access only to the public information released by 
Alice, To forge a messagc T Ejy^nceds to create Alice's signature to convince Bob thai 



the message Is coming from Alice. This is the: saint as the ciphcrtcxtonty attack we 
discussed for cneiphcrment. \V 

Knawn-Mexsage Attack \J 

In the known-message attack, live b^fsacccss to one or more message- signature pairs. 
In other words, she has access to some s@umeuts previously signed Is y Alice. live tries 
to create another message and forge A](fc^s signature on it. This is similar to the 
known-plaintext attack we discussed for encipherment. 

Chosen-Message Attack v ~ 

In the ehosen-me^sage attack, Eve, somehow mTifcprt Alice, sign one or more messages 
for her Eve now has a chos^n-messagc/signaturc^air. Eve later creates another mes- 
sage* with the content she wants, and forges A! ice> signature on it. This is similar la 
the chosen-plaintext attack we discussed for ericiphen^eiit. 

Forgery Types v? 

II the attack is success fuL the result is a forgery, Wc Can have two types of forgery: 
existential jnd selective. 

Existential forgery 

hi an existential forgery, Eve may be able to create a valid message-signature pair, but 
not one that she can really use, In other words, a document has been forged, but the 
content is randomly calculated. This type of forgery is probable, bat fortunately Live 
cannot benefit from it very much. Her message could be syntactically or .sernantically 
unintelligible, 



7HAPTER /.? DIG 



Selective FtirgSrf 

In elective forgy Jive may be able to forge Alice's signature on a message whh die 
content sclcctively\%cn by Eve. Although this is beneficial to Eve, and may be vcty 
dcmmenlal to AJiee,^ probability of such forgerv is low, but not negligible 

% 

13.5 DIGITAL%GNATURE SCHEMES 

Several distal signature sch®^ have evolved during the last few decades. Some of 
them have been implemented. Kj&us section, wc discuss these schemes. In the foil ow- 
ing section discuss one that w^Pn'robably become die standard. 

RSA Digital Signature Schetfj^ 

In Chapter 10 wc discussed how to use cryptosystcm to provide privacy. The RSA 
idea can also be used for signing and verging a message. In this case, it is called the 
RSA digital signature scheme. The digital signature scheme changes the roles of the 
private and public keys. First, the private andVpuplic keys of the sender, not me receiver, 
are used. Second, the sender uses her own private key to sign the document' the 
recover uses Hie sender's public key to verify i(pf we compare llic scheme with the 
conventional way of signing, we see that the privacy plays the role of the sender's 
nwn signature, the sender's public key plays the mfe of the copy of the signature that is 
avadable to the public. Obviously Alice cannot use fioja* public kev to sign the mes- 
sage because then any other person could do the smU-'igire 13.6 gives the general 
idea behtnd the RSA digital signature scheme 

— . _ _ o 



Figu rt I3.fi General idea behind ike RSA digital signamm JcAa^p* 

— tf> 



M: Message 



(pi rtji Ali4.nt r 5 public key 
d: Alice's priviLc key 



/(■■■) 



+ S 



(S, 4, n)- 



mod 

— — — — — Q M 

Seining 



TlUX) n 



i 




Verifying 



The signing and verifying sites use the same taction, but with different parame- 
ters. The verifier compares the message and the output of the function for congruence 
If the result is true, the message is accepted. 

Key Generation 

Key generation in the RSA digital signature scheme is exactly the same as key genera- 
tion m die RSA cryplosystem {sec Chapter 10). Alice chooses two primes/? and q and 



■ 



SECTION 13 J DIGITAL SIGNATURE SCHEMES 397 



Calculates a = p ■ x. q. Alice calculates ty{n) = (p - I) (g - I), She then chooses the 
j*iblic exponent* and calculates rf, the private exponent such thai e x-rf = I mod <(s(n). 
ALtg^tecps rf; she publicly announces tt and ^ 



(\) Tji ihs ItS A digital signature scfretiie, d is private; n and u art public. 

Figure 13.7 s(^)vs Lbe RSA digital signature -scheme . 

: 

^5 



Alice 

Bl. 



pnvatE kc^J ^ Si Si^DAhlc^ 

t 



Be* 
[verified 




Signing Alice creates a signature out oi'^^. message using her private exponent, S =- 
M. J mod n and sends the message and the si^^ture to Bob. 

Verifying Bob receives M and 5. Bob appl^ Alice's public exponent to the signa- 
ture to create a copy of the message - mo*^^ Bob compares the value of NT with 
the value of M. if She two values are congruent, BuvrTTscceptis the menage. To prove this, 
we start with the verification criteria: \^ 

^M^M (mod /0 ^ 



Li(mod m'J 



The last congruent holds because J Kf= I mod (see [iuier's theorem in 
Chapter 9). ^ 




Example 13.1 



- . 



For the s^curi tv oj' the sigq&bjre, the value of j? and g must be very large. As a Eriviat example, 
suppose that Alice chooses p = £23 and q = 953, and calculates n = 7#4319- The value gf $(n) is 
732544, Now she chooses e = 31 3 and calculates J = K>0£K>9_ At mis noim k<vy general ion ik «im- 
plete. Now imagine Uial Alitor u^nls to send message with the value of M = 19070 to Bob. She 
uses hur [jiiviiLe exponent, 160009. in sign inc. message: 




■-■vt ^ 



HEflaBSEFi 



m 



J 1 



CHAPTER IS m&tfy. SIGN A TUW 

Atice seiche menage and the signature to Bob., Bob receive* the message and the si ana- 
Hue. [teealculatfts 

M' = 2l06aS^ m -Q<f 7S4319 =. 19070 .mod 784319 • ra<x j^.^v 




Bob accepts the mi^£ because be has verified Alice's signature. 
Attacks on RSA Signatuf^) 

There are some attacks t hat®c cm apply to the RSA digital signature scheme to forge 
Alice's si "nature. \J 

Key-DnJy Attack Eve has acfes only to Alice's public key. Eve intercepts the pair 
(M, S,J and tries to create another jp&age M' such that W = S*{mod n). This problem 
is as difficult to solve as the discret^gariEhrn problem we saw in Chapter 9. Besides, 
tins is an existential forgery and normrijy is useless to Eve, 

Known- Message A ttack Here Eve us^the multiplicative property of R5A. Assume 
that Eve has intercepted two message-si guanine paiis {M , , S L } and %0 that Have 
been created using the same private key. If ^{M^MjJmod^ then S * fS t x % 
mod n, This is simple to prove because we hav»\ 




Eve can create M = (M,xM,) mod n, and she c^njereate S = (S, x S 2 ) irni d n, and 
fool Bob into believing that S is Alice's signature on thejj&ssage M This attack, which 
ts sometimes referred to as multiplicative attack, is easf tedauneh. However, this is an 
existenlia! forgery as Ihe message M is a multiplication oftwo previous messages cre- 
ated by Alice, not Eve; M is normally useless. vS^ 

Chosen-Message Attack This attack also uses the mulripJiSkve property of RSA 
Eve can somehow ask Alice to sign two legitimate messages ffiand M 2 for her and 
later creates a new message fvl = M, X M 2 . Eve can later claim thJLAlipe has signed M 
The attack is also referred to as multiplicative attack. This is a veif&riaus attack on 
the RSA digital signature scheme because it is a selective forgery (Ev# cad manipulate 
M | artd M 2 to get a useful M). O 

RSA Signature on the Message Digest O. 

As we discussed before, signing a message digest using a (Strong hash algorithm has 
several advantages. In the case of RSA, it can make the signing and verifying processes 
much laster because the RSA digital signature scheme is nothing other than encryption 
with the private key and decryption with the public key. The use of a strong crypto- 
graphic hashing function also makes the attack on the signature much more difficult as 
we will explain shortfy. Figure 13,8 shows (he scheme. 

Alice, the signer, first uses an agreed-upon hash function to create a digest from the 
message, D = h(M). She then signs the digest, S - Uf* mod n. The message and the sig- 
nature are sent to Bob. Bob, the verifier, receives the message and the signature. He first 
uses Ahce's public exponent to retrieve the digest, D' = S* mod rt. He then applies the 



SECTION 13. 5 DIGITAL $K}NA TURE SCHEMES 399 



IgUXt I3.B Thti RSA sigiuiiun? on the me .wag? digest 




M: Message 
Signature 



Alien's 
public key 



(verifier) 

jfc, 

i- 




hash algorithm to the miSsWc received to obtain D = h(M). Bob how compares the two 
digest^ D and D J . If they ^re congruent to modulo fi, he accepts the message. 

_ C> 

Attacks flu RSA 




Bow susceptible to attack is t^)RSA digital signature scheme when the digest is 
signed? 

Key-Only Attack We can have tft(e^ cases of this attack: 

a. Eve intercepts the pair (S, M) twdfdks to find another message M' that creates Hie 
same digest, h(M) = h(M'). As we K&msd in Chapter 1 L p if the hash algorithm is 
xec&rtri preimagc resistant, this auacli/rssveTy difficult. 

b. Eve finds two messages M and M" su^kikii h(M) = h(M'). She lures Alice to sign 
hfM) to find S. Now Eve has a pair (M'.^Sl^hich passes (he verifying test, but it is 
the forgery. We learned in Chapter 11 tSaW the hash algorithm is coliision resls- 
lani, this attack is very difficult. ^) 

Ci Eve may randomly find picssagc digest D, wh(cft may match with a random signa- 
ture S. She then finds a message M such that D - JfM). As wc learned in Chapter I 1 . 
if the hash function is preimage resistant, litis atta^t^s very difficult to launch. 

Known-Message Attack Let us assume Eve has two^issage-signatufe pairs (M^ 
Si) and [M^ h S2) winch have been created using the samurTOivate key. F.vc t:alcu Sates 
5 = S± x Sg. If she can find a message M such that h(M) = h(M|) x h{Mi), she has 
forged a new message. However, finding M given h(M) is v^ry difficult if the hash nlgo- 
riisnsi \ < pi/\L'?wf;t' rcnsiutn. 

Cb<ften-YU*ss:igu Attack Eve can ask Alice 10 sign two legitimate messages M | and 
M ? for her. Eve then creates a new signature S & S ( X Since Eve ean calculate 
h(M) e ti(Mj) x ti('M ? J t if she can find a message M given hfM) n the new message is 
a forgery. However, finding M given h(M) is very difficult if the hash algorithm is 
prghiifige rcsistonl. 



^ 

When the digest is signed tiislftad »l'th£ mi^a^u itself, the tiircrpptihitily of the- RSA 

— ' 

ElGamal Digital <^^ature Scheme 

The ElGanial cryptosytfpni was discussed in Chapter 10. The KlGiimal digital jugna* 
lure srheme uses the sam(£i)eyj> n but the algorithm* as expected, is different. Figure 1 3-9 
gives the general idea bchin(R)ie RlGarnal digital signature scheme. 



Figure 13.9 Gentitli idea behirtdjtitl ElGamat digital xignaturr. \-rht>Tne 



Ad: Mckse^c ^ 
( f l . c 7i . p): Alice^ public 



d\ Alice\ private key 



r; Random secret 



b ■ ■ ■ m 



mod j.' 



— — 



i> i i ■- l r i l; 




!-*■ Accept 



i 

L _ - _ _ J 



<5 



Verifying 



Ixi the signing process, two functions create two -Sena-tuxes; in the verifying pro- 
cess the outputs of two functions are compared for verilfetton. More (hat one function 
js used both for signing and verily ing hut the junction us^snffereot inputs. The figure, 
also shows the inputs to each function. The message is part^frrhe input to function 2 
when signing; it is part of the input to function I when veriry^H^Note that the calcula- 
tions in functions I and 3 are. done modulo p: it is done modulo fy=\ I in function 2, 



"Wit % 

The key generation procedure here is exactly the same the one used in thj^rypEciGy stern. 
Let p be a prime number large enough that the discrete log problem is imcanable in Z p * 



Let e j be a primitive element in Z^*, Alice selects her private key d to he- lfcsy than p - I . 
She calculates e 2 - e^. Alice's public key is the tuple %|?)J Alice's privat£*ey is d. 



In KM ran ia E digital s^n^Curr ^"h em ie^ <? 2 ^^ Alice's public key; ii is her private key. 



Verifying and Signing 

Figure 13.10 shows the FJGamal digital signature scheme. 

SiRning Alice can sign the digest of a message- to any entity including Bob: 

E . Alice ehooses a seeret random number r. Note dtat although public and private keys 
can be used repeatedly, Alice needs a new r each time she signs a new message. 



SECTlOn B. 5 DlGfTAL SIGMA JURE SCHEMES 401 



Figure 1 3* 1 0 EtGamai digital nigtuHurE strhatne 



A I ii ■ ■ 




r: Rnncl&iw secret 

Alice's private fecj 
(cj, £2 r Py Atiee^ public key 



Boh 
I verifier) 



i 
■ 



+■ s, 




Signing \ 



+■ M 




* f, M 111043 JT 



I ^ ^ ^ J ^ I 



Verify ]]]j{ 



^ ~ 

2. Alice calculates die firstai^ytjore Sj = r s r mod /?. 

3. Alice calculates the seeono^gnaturie = tM - J * S t ) x r _1 mod ip - 1 ), where r -1 
is the multiplicative inverse fcf jrjnoduio p. 

4. Alice sends M, S i , and to tXo^ r 

Verifying An entity^ such as BobXreceives M, 3j F and S^, which can be verified as 
follows: \J 

L Bob checks to sec if 0 < & } < p 

2. Bob checks to see if 0 < S 2 < p - 1 

3 . Hob calcul ates V ^ = g 1 M mod p 

4. Bob calcub tes V 3 = ej 8 1 x S A Sl mod p O - 

5. if V| is congruent to V^, the message is accented; uEherwistj, iL is rejected. We ears 
prove the- verification criterion using es 2 = *i *md £ t — 1 



:;-V ;i ^Vi(idpdp):-4 e s "s t tf' x S/'-" (mod/?) = ^M^i©(mog>)^ ^^11" 





I -.Jr. k 
■ it I _ . ■ £Grf 



Because is a primitive root, it can be proved that the above congruence holds if 
and only if M = [t/S, + rSJ mod (p - 1> or S 2 = [(M -dx 5f:j J * r" 1 ] mod (p - I ), 
which is the same we started in the signing process. 



Example J 3.2 

Here h 6 trivial example. Alice chouses /? p 3 lift e } = 2, d = ] 27 and calculaies *2 = ? mod 
33 19/ = 3702. She also chooses r to be 307, She announces *h F publicly; she keeps d 

secret. The following shows how Alice can sign a message. 



5 



4. 




m<>rl 3119 



Alice sends M, S | , aQ^n Bob. Bob uses the public key to calculate V A aad V-,, 



i (HtJ ■ "■'J.Tftl 



3083 x @b 2l0S - 3006 mod 31 i'Sf 



■ - ■ ■ *. 



■J 'tz'.V- 



n^:;u^c V, and W 2 itre eongmam>rWb accepts the message and he assumes that tlie mes- 
sage has been signed by Alice beeanstf n>acnc else has Alice's private key, d. 

Exatnpie 133 ^ 

Now imagine thai Alice warns io send anotr^rWssage, M = 3000, to led. She chooses a new r, 
I#7, Alice sends M„ S-, B and S 2 to Ted. Ted usevM public keys to calculate V 3 and V 2 . 



■ V - 

Sj- tM-rix S,) = (3000- l» x 'mod j] l x 



M - 3000 




■ ■ i - _ 




Lme43H9 





h J 

V l = fi 1 M = 2 :i ™^70+m.Oi13ll<) 



SirSJf i« •l* J_l, L"4 fiiX"." J ISP?!* 




Because V r and an: congruent, Ted accepts lite msssaget-fi^fiunies that the tm&0 
has been signed by Alice because m one else has Alices private k(fc£*rN[Qte that any person can 
receive the menage. 1 Tie goal is not to hide the message, but to prove^i ii is sent by Alice. 

Mrgery in the BlGamal Digilai Signature Scheme Q 

The ElGamal scheme is vulnerable to existential forgery, but it h rf-£y hard ro dp a. 
selective forger v on this scheme. 

Key-Only Forgery In this type of forgery, Eve h access only to the pu^Hfc key. Two 
kij ids of forgery are passible : Q 

1. Eve has a predefined message M She needs lo forge Alice's signature on iLvf^ must 
find two vaiid signatures S r and S 2 for shfs message, This is a selective forgery 

a, Eve can choose St and calculate She needs to have M\ S] Si = ^ M {mot} p ). Lt 
other words, S t s " 3 a ^ M ^<modp) or S 2 = iog^, ( L y M d~^) (ruod p).This nieajis 
computing the discrete logarithm, which is very difficult. 

b. Eve can choose $ 2 *i§ calculate S | . This is much harder thsm part a, 

2. Eve may be able to find three random values, M S 3 , and S 2 such that the last two- 
are die signature of the Jirst one. If Eve can find two new parameters x and y such 
that M = x$ 2 mod ip - 1 ) and $j p= -y$ 2 rood (p - 1), she can forge the message, 
but it might not be very useful For her. This b an existential forgery. 



SECTION 13. 5 DIGITAL SIGNATURE SCHEMES 44B 




^Knimn -Message Forgery If Eve lias intercepted a menage M and its iwo signatures 
SflOjid S2* she can find another message VT, with the same pair of signatures S ] and S 2 . 
H^a^er, note that this is also an existential forgery that does not help Eve very much. 

Digital Signature Scheme 

The pro&lmj with the E3 Carnal digital .signature scheme is thai p needs to *>c very large 
to guariuiL^bat the discrete log problem is intractable in Z^.TTie recommendation is 
a p of at JeakH024 bits. This could make die signature as large as 204$ bits, To reduce 
the size of uh^^nature, Schnorr proposed a new scheme based on ElGamal, but with a 
reduced si£jiafU^srie. Figure 13.11 gives the general idea behind the Schnorr digital 

<r 

Figure 1 3 J 1 Gerier^jSea fafiind ihe Sdtna rr dig izai signature scheme 





tfj h /? K q)\ Alice's, ^^ic key 



P I T B 1 



1 


f,U) 


^(■■->]r- 




mod p 




1 




■ — ■ — 

• > 


1 
1 


inbd g 





.(5) 



1- — 








r _- a . . 




1 

p ■ 'i ■ 
■ 




f'i IM V ■ :.v.i? 













Yes 



If 1 

i- 

« 



■ 






TDOtl p 



4* AL-ccpl 



Signing 



Verifying 



In the signing process , two functions cre@ two signatures; in the verifying 
process the output of one function is compared tq^Ke first signature for verification. 
Figure 13.11 also shows the inputs to each function. The important point is that the 
scheme uses two moduli: p and q. Functions I antW use p; funetiun 2 uses q, 
The details of inputs and the functions will be discus^co^gorlly, 




Key Generation 

Before signing a message, Alice needs to generate keys and announce the public unes 
to the public, 

1 - Alice selects a prime p, which is usually 1 024 bits in length, 

2. Alice selects another prime which is the same size as the digest created by the. 
cryptographic hash function (currently 160 bits, but it many change in the future). 
The prime needs to divide (p- 1), In other word*, (p - 3 ) = 0 mod <f, 

3. Alice chooses e ( to be the ^th root of 1 moduJo p. To do so, Alice chooses a primi- 
tive element in Z pi e i} (see Appendix. J), and calculates e } = e^ mi mod p. 

4. Alice chooses an integer, d, as her private key. 



CHAPTER 13 DiGV^^iGNA TURK 

5. Alice calculates & = f j mod p a 

6. Alice's pubTi^Jft^y is {e^ F* Ker private key is (J): 



In the SchmuT dijih 




tare 5chemc t Alice's public key is (e^c^i tfh her private key (J). 



Signing and 

Figure ! 3, 12 shows the Sc 




digital signature scheme. 



Fi gu rc 13*12 Schf\orr dig isal sjtfntir^ re scheme 

— : — " 

S tl S 2 . Signatures Alic^s^fcari; key ri(r..)j Hash algorithm 

V: Vmficatiun. (^|. e^, p r y): Ainu's pubtii; key 
Alice \ 

£ 



lk>b 
^verifier) 

A. 



L ■ . _ 



M I L-i r inucl ,■■ .- 












H 







- — - ■* 



+■ M 



Ml 












K-)\ 


| I J- 

V 



Signing 



_Q_ 



"8 



l- Alice chooses a random number r. Note that although pumi£ and private keys can 
be used to sign multiple mess.ages t Alice needs to change r-i^h time she sends a 
new message. Note also that r needs to be between 1 and q. \J ^ 

2, Alice calculates die ftrsi signature S ^ ^ h(M lir^inod p), The message i s prepended 
to the value of * / mod then die hash function is applied lo cn^te a digest Note 
that the hash function is not directly applied to the message, but in^t^pd is applied 
to the concatenation of M and mod p. q 

% Alice calculates the second signature S2 = r + d x S] mod q. Note thaf^art of Che 
calculation at' S7 is done in modulo q arithinciic. < 

A. Alice sends M, S| H and St.. 

Verifying Message Hie receiver, Bob, for example, receives M, S \+ and S^. 

1 . Bob calCTj lates V = h (M | e x ^ 2 ^ 1 moti P) * 

2. If Sj is congruent to V modulo p : the message is accepted: otherwise, it is rejected. 
Example 13.4 

] teie is a trivial example. Suppose we choose q — 1 03 arid = 2267. Note Ghat jp = 22 x q + L We 
choose t* 0 =2, ■u.-hich is a priniMve =11 ^ 2h7 *.Thffn ^ — !>/ ^ —22, so we have £\=2 U mod 2267 = 354, 



SECTION 1 3.5 DIGITA I. SIGMA WRESCUl <MES 405 



Wti choose 30, so e 2 = 354^ mod 2267 = 1206, Alice s private key is now {ti)i ber public k^y is 
(e } .e 2 ,p,q). 

\§\ Alio*; wants to send a message M. She chooses r= 1 1 and calculates e/ = 354 L s = 630 mod 
Asfvllcul: that the message is 1000 and conealfiiaatinri mparts 1000630. Also'assumc that the 
h&Lqf Ehis value give* toe digest b{ 1000630) = 200. This means S k = 21H1. Alice calculates S 2 ^ 

r+ * = 11 + 1026 x 200 103 = 11 + 24 = 35, Mkc Scnds ^ mcssa S c M ^ l00 ° T 

S| = Sffifi and 5^ = 35. The verification is icft as an exercise. 
Forger^ii^chnorr Signature Scheme 

It looks iifie^aJI attacks on ElGamal scheme can be applied on Sdinorr scheme. How- 
ever, SchnniE^[s in a better position because - h(M | i^modp), which means that the 
hash function(?s applied lo the combs nation of the message and l-^, in which r is a 
secret. > 0 

Digital Sigiiatui^Standard (DSS) 

Hie Di^itaJ Si^natur^tandard (DSS) was adopted by the National Institute uf Stan- 
dards and Technology fl^IST) in 1994. NTST published DSS as FIPS 186. DSS uses a 
digital signature alguril^ (DSA) based on the EIGamaJ scheme with some ideas 
from the Schnorr scheme, has been criticized from the time it was published. The 
main complaint regards the>s&crecy of DSS design. The second compJaint regards 
the size of the prime, 512 bitVLater MIST made the size variable lo respond to this 
complaint. Figure 13.13 gives ih« general idea behind die DSS scheme. 



Figure 1X1.3 General idea behind 



S^&g; Signatures 
M: Nfcsyapc 
{e^fypsfty. Alice's 



^ih>Alice r 5 private key 
VKando^i secret 

ie key 

© 



. uiod p mud q ■ 



^ ~f 1 : 1 

T , m ,1..-"; » 



i 

: 

■ ■ 
i 



Oil 





J. L. bi — ' — — t — 

Veri Lying 



AcoijJl 



In Ike signing process, two functions create two signatures; in the verifying process, 
the output of one function ts compared to the first signature for verification. This is simi- 
lar to SchnoiT, but tile inputs tire different. Another difference is that this scheme uses the 
message digest (not (he message) as part of in puis to functions 1 and 3. The interesting 
point is diat the scheme uses LWO public moduli: p and q. Functions I and 3 use bom p and 
q; function 2 uses only q. The details of inputs and die functions will be discussed shortly. 



AFTER IS Diarr^SpNATURE 

\ 

Key Generation ^ 

i 

Before signing a incsswtec to any entity Alice needs to generate keys and announce the 
public ones to the pMU^> 

1 . Alice chooses a prkfi^, between 512 and 1024 bits in length. The number of bits 
mp must be a mult[f^o£G4. 

me q in such a way that q divides - J J, 



2. Alice chooses a I6<)»hr^h 



choo 
5. Alice 



3. Alice uses two muftiplie£KW™ps <Z p * n x > and <Z^*, x>: the Second is a sub- 
group of the first. (^) 

4, Alice creates e } to be the ?iK^ot of 1 modulo p (e t p = 1 mod p). To do so, Alice 
oses El primitive element in^E£^ 0 , and eakuJatcs s x = e 0 ^ _1 ** mod p. 
:e chooses tl as the private key^pd calculates ^ = 

6, Alice's public key is (tf T , e?, 3); ^private key is (d). 

\ — 



rifying and Signing 
Figure 1 3 J 4 shows the DSS scheme 



Figure 13. 14 DSS xrheme 



S k , E z : Signatures 
V: ■ Vfri f kid i-pn 



r. Random s^erci 
cJ' AJice'.s private kc^ 

-7): Alice's public 



age digest 



Alice 

(signer) j J 1 



3 




J O 



Bob 

{verifier) 



h 

r 
■ 



(e-] r mud p.S mod ^ ■ ! * ^ 








M 



y.- ij". > 



I W^" 1 ^1^"' mod mud rj 



— - - - - 




Verifying 



O 



Signing The following shows the steps to sign the message: *\ 

1 . Alice chooses a random number r{\ Sr<q). Note that although public and private 
keys can be chosen once and used to sign many messages, Alice needs to select a 
new reach time she needs to .sign a new message. 

2. Alice calculates the first signature £ x = (e/mod p) mod Nore that the value of 
die first signature does not depend on M r the message. 

% Alice creates a digest of message h{M), 

4. Alice calculates the second signature S 2 = *h(M) + d Si)r~ ] mod q. Note that the 

calculation of S2 is done in modulo q arith metre. 
5 F Alice sends M 1 S j r and & to Bob. 



SECTION 13. 5 DIGITAL TURE SCHEMES 4<>7 



V&rifylug Following are die steps used to verify the message when M P S u arid S 2 are 
received: 

Bob check* lo see if 0 < Si < a, 

l<r Hob checks U'i see if 0 < S 2 < tf. 

3,^d& calculates a digest of M using the same hash algorithm used by Ahce. 

4 r Bfh calculates V - [^O^f 1 ' 3 ) mo d p] mod r/. 

5. Tf ^pls consent lo V< the message is accepted; otherwise, it Is rejected, 

hxample 1^3 

Ali ix chooses V= 10 1 and *= SOfi L Alice select* £q 3 and tabulates - c^H^ mod j? ia 
fj%S. Alice chofts^ J = 61 as the private key and calculates e 2 = mod p = 203 S. Now Alice 
l:mti send a jneyuug^J^ESob. Assume that h(M> = 5000 and Alice chooses r = 61 : 

h{M) - 50QD r ^£j\« 
Sj ^ (e^ modp) mod g = fri 

Alice sends M , 5 lT and S-^tc^ Bob. Bob uses the public keys to calculate V: 
S 2 - 1 =48inDd 10] # 

V 1 | E 6%8 5 ™ * 43 X BQ&S 54 '* ^)*S?£i 805 1 ] tn*>d 10 1=54 
Because S | and V are congruent Eo^isj;cepts (he message. 
DSS Venus R$A 

Computation of DSS signatures is fastermsn compute ion uf R-SA signatures when 
using the same p. 

■ ■ 9* 

J35S Vi'o u.v EtGamtd O 

i 

DSS signarures are smaller than BlGamal signatutffes because g is smaller than 

O 

Elliptic Curve Digital Signature Scheme O 

Our last scheme is the elliptic curve digital signature Ktdfcme, which is DSA baaed On 
elliptic curves, as we discussed in Chapter 10. The scheme sometimes is referred to as 
HCDSA (elliptic curve DSA), Figure I It 5 gives the general idea behind ECDSS- 

In the sign! tig process, two functions and an extractor create two signaiurcs; in the 
verifying process the output of one function (after passing through the extractor) is 
compared to the first signature for verification. Functions f\ m& f% actually create points 
on the curve. The first creates a new point from the signer's, private key (which is a point); 
the second creates a new point from the signer's two public keys (which are the points). 
Each extractor extracts the fi r&c coordi nates of the corresponding point in modular 
arithmetic. The details of inputs and the functions wLU be discussed shortly. 



CHAPTER I J DFG^Ah SIGNATURE 

\ 



Figure 13,15 Unwat idea behind ffe ECOSS ichrw 

~ t5v 



M: 



b r p,y^ ir £ 1 ): Alice's public 5^. 



tr": Alice's private kty 



— 1 ^ — v^j 1 : 



■ "> ■ J- — r w a - 



t " 




4 




H 

I , 

i— +- 




- Bx,q ai T -|{... i )LJ 


L — — — * j — — — — _i _ _ _ _ _ 




cEfying, 



Key Generation A 
Key generation follows ihese steps; (^) 

1 . Alice chooses an elJiptic curve E p {a. b) with p » P rime number. 

2. Alice chooses another prime number q. to be used©me calculation. 

3 Alice chooses the pri vatc key an int^cr. 

4 Alice chooses^ X a point on the curve. O 

5. Alice calculates ^ ) .4 X(?| ^ Jt another po^ the curve. 

6. Alice's public key is (a. k, Pt q.e it e 2 ): her private key is d[j> 

Sign itix and Verifying V q 
Figure 13,16 shows the elliptic curve digital signature scheme. A 

Signing The signing process consists mainly of choosing a secret random number 
creating a tli.rd po.nt on the curve, calculating two signatures, and sending message 
and signatures. / ^ e 

1. Alice chooses a secret random number r. between i and q - \_ *\ 

2. Alice selects a third point on the curve, P(u, v) =t > x e , ( r ) ' 

3. Alice uses Lhe first coordinates of Pfe. v ) to calculate the first signature S, This 
means S t = u mod q. o»~ \ 

4. A lice uses the digest of the message, her private key, and the secret random num- 
ber r, and the S, to calculate the second signature S 2 = (h(M) + dx Si) r-'mod a 

5. Alice sends M, S, , and S 2 . 

Verifying The verification process consists mainly of reconstructing the third mint 

: d ; enfyi,,g that thc fifSE COordhiatc is to S, in modulo H . Note than he 

th,rd potnt was created by the signer using the secret random number r The verifier 



\ 



SECTION 13.6 VA RIA 'HONS A ND Af'PUCA T!Om d<J9 



• Ftgure 13. 16 The ECDSS scheme 



r: RindL " Hr1 t™ 1 % v) a Tfr , ?); Points on j he curve 

s i ?^i«i£nal!i«* ih Alices private k c >- b(M>r Mcas^c digwt 

V: V^Srf™^ (ff, b,p m tf m r lr AJiafs public key A r B: IntcrniHii db? raulti 

«> ■ , J 





— — T ^ ■■ J 



Bob 




■ 

■ 




i. i 



•■ ■ . 



0 . ..- ' — ■ -. . ^t >M-4- 





A ■ hi>r:i S z "' mod 4 
TCx,^=^( ..->+B* 2 ( ) 





1' ■". 


J L 















: 



■ " " ■■ 1 1 • T . »1_ I ._ . 



--•-r .<»'-■ ■ ir^i ■■_ j.^:' ^ „ 

Verifying 



doss nut have this value. He nei^to make the third point from the message digest S a 
and S 2 : ^ 

3 ., Bob uses M, P and $ 2 to crea^4^o intermediate results, A and B: 

A =s h(M} S 2 _1 mod and & a S^" 1 S s mod <y 

Bob then reconsEixicts the third poifOu, ^) = Axi l (.,.. 1 „ l ) + Bxc 2 ( j, 

2. Bob uses the &r*t coordinate of T(^ 1> j^ verify the message. If jc = S, mod q t the 
si^naum; is verified; otherwise, it is reja^d. 

^ 

13.6 VARIATIONS AND APPlSlfcATIONS 

This section briefly discuses variations and applicant; os^or digital signatures. 
Variations \X 

Following are brief discussions of several variations and additions to the main 
concept of digital signatures. For more insighi, the reader can consult the specialized 
literature. 



Time Stamped Signatures 

Sometimes a signed document needs to be limestamped to prevent it from b^inc 
flayed by an adversary. This is ctfkd t^*^ siga^rc scU*J. 

For example, if Ahee signs a request to her bank, Bob, to transfer some money to Eve H 
the document can be intercepted arid replayed by Eve if there is no ttmeslarnp on the 



U AFTER 13 DIGrrAlT&RNA TU&E 

■ 

document. Including the actual date and lihie on the documents may create a problem if 
tlit docks are not s^i^hjonized and a universal time is not used. One solution is to use 
a nonet! (a one-time Mn^nrrt number). A nonce is a number that can be used only once. 
When the receiver rec^i^ a document with a nonce n he inalses a note that the number 
is now used by the senqp^nd cannot he used again, In other words, a new nonce 
defines die "present time^ML^ed nonce defines "past time", 

Blind Signatures 

Sometimes we have a docuinent^aE wc want to- get signed without revcahng the con- 
tend of the document to the sign^fcor example, a scientist say bob. might have dis- 
covered a very important theory tba^rjeeds to be signed by a notary public K say Alice* 
without allowing Alice to know the cOAforLts of the theory. David Chaum has developed 
some patented blind digital signature ^jcmes for this purpose, lite main idea is as 
fa hows: >> 

a. Bob creates a message and blinds it. Hvb^nds the blinded message to Alice. 

h, A I ice signs the blinded message and rctunmthe signature on the blinded message. 

e. Rob unblinds the signature to obtain a sigrwf^e on the original message. 

Blind Signature Based on the RSA Scheme Lfttttts briefly describe a blind digital 
signature scheme developed by David Chaum. Blinding can be done using a variation 
Of the RSA scheme. Bob selects a random number, 8, jyati calculates die blinded mes- 
sage B-Mx^ mod n, in which e is Alice's public keyj))id/i is the modulus defined in 
the RSA digital signature scheme* Note that b is sometitaelf called the blinding jactttr, 
Bob sends B to Alice. Q 

Alice signs the blinded message using the signing algorithm defined in the. RSA 
digital signature S^tmd - & d m °d n > m which d is Alice's prime key. Note that S fj is the 
signature on the blind version of the message. ^< 

Rob simply uses me mu 3 Implicative inverse of his randoftiWinber b to remove 
the blind from the si gnn t Lire, The signature is S = S ft b~ l mod n., (3'e can prove that 
S is the signature on the original message as defined in the RSA^fgital signature 
scheme: 

S 1$ the signature if Rob has sent the original message to be signed by A]*£2 

Preventing Fmud It appears that Bob can get Alice to sign a blind message that may 
later hurt her. For example, Bob's message could be a document, claiming to lie Alice's 
will, thai will £ive everything to Bob after her death. There are at least three ways to 
prevent such damage: 

a. The authorities can pass a law that Alice is not responsible Tor signing any blind 
message that is against her interest. 

b. Alice can request a document from Bob diat the message she will sign does not 
hurt Alice. 

e. Alice could require that Bob proves lus honesty before she si^ns the blind message. 



SECTION J J.? BBGOMMENDED READING 411 

" A Undeniable Digital Signatures 

IJn deniable digital signature schemes are elegant inventions of Cbaum and van 
v A^verpeiL An undeniable .digital signature scheme has three components: a signing 
algorithm, a verification protocol t and a disavowal protocol. The signing algorithm 
all "r*^ lic:e to a ^ysage. The verification protocol uses the challenge-response 
mecftipLsm (discussed in Chapter 14} to involve Alice for verifying the signature. This 
preven^he duplication and distribution of the signed message without Alice T s 
appro vaY^Je disavowal protocol helps Alice deny a forged signature. To prove thai the 
sipnaurre is^j'orgcrv; Alice needs lo take part in the disavowal protocol. 

Applications^ 

l-ater chapters difewts several applications of cryptography b network security. Most ul' 



these applications ttWly or indirectly require die use of public keys. To use a public key, 
a person should profc thaj she actually owns the public key For this reason, the idea of 
certificates and cert i fixate authorities (CAs) 1ms been developed (See Chapter 14 and 
Chapter 15), The certificates must be signed by the CA to be valid Digital signatures are 
used to provide such a proqf^hen Alice needs to use Bob's public key, she uses the certif- 
icates issued by a CA The CA^gns the certificate with its private key artd Alice verifies the 
signature using the public keyS^4he CA The certificate itself contains Bob's public key. 

Todays protocols that usVthe services of CA include IPSec (Chapter 18), SSL/ 
TLS (Chapter 1 7), and S/M1M ^(Chapter 16). Protocol PGP uses certificates, hut they 
can be issued by people in the coii@inUy. 

— o 

13.7 RECQMMENDEIXSeADING 




The following books an<i websites give nuij^tletails about subjects discussed in this 
chapter. The items enclosed in brackets refer tenhe reference list at Lhc end of the book. 



Books 



[SiiOftl. [TWQ6]« and |PHS03] discuss digital signal^ in detail. 

WebSites <A 

The following websites give more information about topics discussed in this chapiei 




■ ■ i 



http://iii l. \ vik rpc<lis r arg/wiki(£iJt ]anial_s Lyrmturc^^chei] nr. 

tfiic.(]TSL£ov/^ty^d5M8^Ay S .jrff 
hUpflen.wiJdpe^a.Qf^ 



{AFTER 13 DIGlTA 




NATURE 



13.8 KEYTAR MS 

blind digital signaturevtff^erne 
chosen-message attack 
digital signature 
digital signature algorithm 
digital signature scheme 
digital signature standard (DRS)yA 
ElGamal digital signature scheme* 



elliptic curve digital signature; schemfA 
existential former v iC\ 

- S 



key-only attack 



known-message attack 
nonce 

RSA digital signaLure scheme 
Schnon digital signature scheme 
selective forgery 
signing: algorithm 
trjoestamped digital signature 
undeniable digital signatures 
verifying algorithm 



13.9 SUMMARY 




□ 



□ 



□ 



□ 



A digital signature scheme can provide the sWe services provided by a conven- 
tional signature .A conventional signature is iftMided in the document: a digital 
signature is a separate entity. To verify a conventional signature, the recipient 
compares the signature with the signature on file; T^srity a digital signature, the 
recipient applies a verifying process to the documented signature. There is a 
one-to-many relationship between a. document and rhj£>convenlional signature; 
there is a one-to-one relationship between a document attia digital signature. 
Digital signatures provide message authentication. DVgrtat signatures provide 
message integrity if the digest of the message is signed iWtWl of the message 
itself. Digital signatures provide nourcpudiation if a trusted Co-party is used 
Digital signatures cannot provide confidentiality for the messageQj confidentiality 
is needed, a cry ptosy stem must be applied over die digital signatu^cheme, 
A digital signature needs an asymmetric-key system. In a cryptosy stern, we use the 
private and public keys of the receiver; for digital signatures, we use^rke private 
and public keys of the sender. s~\ 

The RSA digital signature scheme uses the RSA cry ptosy stem, but the nW*>f the 
private and public keys are swapped. The EEQamal digital signature schenpuses 
the ElGamal eryptosysiem (with some minor changes), but the roles of the private 
and public keys are swapped. The Schnorr digital signature scheme is a modifica- 
tion of the ElGamal scheme in which the size of the signature can be smaller. The 
Digital Signature Standard (DSS) uses the digital signature algorithm (DSA), 
which is based on ihc JilGamaE scheme with some ideas from the Schnorr scheme. 
Timestanaped digital signature schemes sue designed to prevent the replaying of 
signatures. Blind digital signature schemes allow Bob to let Alice sign a docu- 
ment without revealing the contents of the document to Alice. The undeniable 
digital signature scheme needs the signer to be involved in verifying the signature 



A SECTION 1 3 JO PRACTICE SET 413 

\ 

to pmm lhe duplication end distribution of the signed message without the 
signer's approval 

tj -The main application of digital signatures is in signing the certificates issued 
^^aecrttftcate authority (CA). 



lXlO^RACTICE SET 

Review Q^sliuns 

1 k Compare contrast a conventional signature and a digital signature* 

2. Lbi the sccbfliy services provided by a digital signature. 

3. Compare and e^&ast attacks on digital signatures with attacks on eryptosy stems. 

4. Compare and ci^£W existential and select [ve forgery, 

5. Define Lhe RSA di^kl signature scheme and compare it to the RSA cry ptosy stem. 

6. Define the BIGamal yneme and compare it to the R L S A scheme. 

7. Define the Schnorr sch^e and compare ii to the ElGamal scheme. 

8. Define the DSS schemed compare it with the ElGamal and the Schnorr 
schemes, s\ 

9. Define the elliptic curve dig(E& ^nature scheme and compare it to the elliptic 
curve cry prosy stem. 

10, Mention three variations of digil^iEnaturcs discussed in this chapter and briefly 
Slate the purpose of each. \^ 

Exercises O 

1 1, Using the RSA scheme, let p - B<S P \Q^5I P and d - 23. Calculate the public 
key e. Then \j* 

a. Si^n and verify a message with M, = im^ts.]] the signature S T . 

b. Sign aud verify a message with Mj = 50. cQuic signature % 
e. Show that if M = M , x M 2 = 5UOQ, then S b £jx S 2 

12, Using the FJGamal scheme, Set p = SSI and d =*7Q0. Find values for q and ^. 
Choose r a 17. Find the value of St and S 2 if M = 4<jp} 

i% Using the Schnorr scheme, let q = S3, p = 997, and Find values for ^ and 

C£ Choose r= 1 ] . TfM-= 400 and h(400) = 100, find Irvine of Si 5? and V ts 
Sj sV(modp)7 < 

14, Using the DSS scheme, let 9 = 59, = 709, and d = 14. Find values for ^ and ^ 
Choose r = 13. Find the value of St and S 2 if h(M> * 100. Verify the signature, 

15. Do the following: 

a. In the RSA scheme, find the relationship between the ss£C of S and the size of n, 

b. In the FJGamal scheme, find the size of S t and S 2 in relation to the size of p. 

# lT1 ®* Schnorr scheme, find the size of S , and S 2 in relation to the size of p and q. 
d. In the PSS scheme, find the size of S L and in relation to the size of> and ^, 



16, The NTSt^ecification insists that, in D5S n if the value of = 0, the two signa- 
tures must oje recalculated using a new r. What is the reason? 

17. in ElGamal, ^JWr, or ESSS T what happens if Eve can find the value of r used by 
the signer? ExpHj} your answer for each protocol separately, 

IB. In ElGamal, Schr^r, or DSS. what happens if Alice uses the same value of r to 
tign two mess&ge^^>iain your answer for each protocol separately. 

19. Show an example of'^vulnerabiiity of RSA to selective forgery when die values 
of p and q are small. USfi*i= J 9 and | = 3. 

20- Show an example of the^lnerability of EtGainal to selective forgery when ihe 
value oi> is. small. Use ^ 

2 1 . Show an example of the vuln^raMiiy of Schnorr to elective forgery when the val- 
ues of p and *7 are small. Use $f^Z9 and # = 7, 

22. Show an example of the vutnerat$>tv of DSS to selective forgery when the values 
of p and q are small. Use p - 29 anrf# = 7. 

23. In the ElGamal scheme, if Eve can the value of r„ can she forge a message? 
Explain. ^ 

24. In the Schnorr sljil'tim, if Eve can find ftk value of r T can she forge a message? 
Explain, 

25. In the DSS scheme, if Eve can find the valueVfri can she forge a message? Explain, 

26. Suppose thai the values of p, q y e b and r in th^Schnorr scheme are the same as the 
corresponding values in the DSS scheme, Comfrarg*he values of S 1 and S 3 in the 
Schnorr scheme with the corresponding values in^ DSS scheme. 

27. In the ElGamal scheme, explain why the cakulatioi^fS L is done b modulo p t but 
the calculation of S 2 ii : done in modulo p - L Q 

28. In the Schnorr scheme, explain why the calculation of <Q* done in modulo p t but 
the calculation of S 3 is done in modulo q. 

29. In the DSS scheme, explain why the calculation of S] is dWm modulo p modulo 
q t but die calculation of S 2 is done only in modulo q. y-x 

30. In the Schnorr scheme, prove the correctness of the verify Lng pi™tes. 

31. In the DSS scheme, prove the correctness of the verifying process, 

32. In the elliptic curve digital signature scheme, prove the correct! less oUiie verifying 
process, * 

3p t Wriffi two algorithms for the RSA scheme: one for the signing prtxessOt one for 
the verify i ng process. \\ 

34, Write two algorithms for the ElGamal scheme: one for the signing process and one 
for die verifying process. 

35, Write two algorithms for the Schnorr scheme: one for the signing process and one 
lor the verifying process. 

36. Write two algorithms for the DSS scheme: one for the signing process and one for 
Che verifying process. 

37. Write two algorithms for She elliptic curve scheme: one for the signing process and 
one tor the verifying pnuccss. 




behavioral techniques 



ity Authentication 

Objectiv^ 

This chapter ha^bveral objectives: 

□ To distinguish^t^eea message auihcnticytion and entity authentication 

□ To define Wiinv^s used for identification 

□ To discuss some rhethods of entity authentication using a password 

□ To i ntmducu Home en ^nge-nRponsc pn ) U yea I s for entity authen ticati on 

□ To introduce some zenYknowledge protocols for entity authentication 

□ To define biometrics distinguish between physiological and 

o 

14.1 INTRODUCTION^ 

Entity uiithenUtaUon fa a technique de^n^d to let one party prove the identity of 
another party. An entity can be a person, a prices s T a client, or a server. The entity 
whose identity needs to be proved is called tMjtfpimant; the party that tries to pnovc 
the identity of the claimant is. called the verifierS^ hen Bob tries to prove the identity of 
Alice, Alice is the claimant, and Bob is the verified 

O 

Data-Origin Versus Entity Authentication 0> 

There are two differences between message auShenik'afionfdaUt-Qrigin authentication), 
discussed in Chapter and entity authentication^ discussed in this chapter, 

L Message authentication (or data-origin authentieatiun) might not happen in reaE 
rime; entity authentication due a. In the former, Alice sends a message to Bob, 
When Bob authenticates the message, Alice may or may not be present in 
the communication process. On the other hand, Vrhen Alice requests entity 



415 



h\ P TFR / 4 F.NTIW^I'UENTKA HON 

authentlc^ioii t there is no real message communication involved until Alice 
is authenticated by Bob, Alice needs to be online and to take part id the process. 
Only after uthenticated can messages be communicated between Ahee 

and Bob, Data-i$fi|in authentication is required when an email i& sent from Alice to 
Bob. Entity audiCTfjcation is required when Alice gets cash From an automatic 
lei 1 er maeb me. 



Second, message airlirentieation simply authenticates one message; the prtieess 
needs to be repeated for each new message. Untity authentication authenticates the 
claimant for the entire riKjclion of a session, 

v \ 

ieation Categories 

In entity authentication, the eta imam /must identify herself lo the verifier. This can be 
done with one of three kinds of wimtess&e: something known, something possessed, or 
s&rnefhing inherent . \ 

□ Cometh i n g k n a wn , Thi s i s a secret k(5ow,n only by the claimant that can be checked 
by ibe verifier. Examples arc a passwor(£a PT>J, a secret key n and a private key, 

U Something possessed. This is soinethii^Xhal can prove the claimants Identity- 
Examples are a passport, a driver's license /^identification card n a credit card, and 



a smart card. 



I J Something inherent, This is an inherent characteristic of the dai mailt. Exam- 
pies are conventional signatures, fingerprints, %oi%b, facial characteristic^ retinal 
pattern, and handwriting. \J . 

x 

Entity Authentication and Key Management 

This chapter discusses entity authentication. The next cn£iptetfv discusses key manag- 
ment. These two topics are very closely related; most key nranwement protocols use 
entity authentication protocols, This is why these two topics ;£re~fliscu5sed together in 
most books. In this book ihey are treated separateiy fur clarity. O 



14.2 PASSWORDS O 



The simplest and oldest method of entity authentication is Lhc p as sv^mi- based 
authentication, where the password is something that the claimant knows, A^fassword 
is used when a user needs to access a system to use the system's resources (login). Each 
user has a user identification chat is pubfic, and a password that is private, We 
can divide these authentication schemes into two groups: the fixed password and the 
one-time password. 



Fixed Password 

A fixed password is a password that is used over and over again for every access. 
Several schemes hsvc been built, one upon the other, 



SECliON F 4,2 PASSWORDS 417 



first Approach 

fo the very rudimentary approach, the system keeps a table (a file) that is sorted bv user 
\Jittam ib ration. To access the system resources, the user sends her user icier tificalin'n and 
^sword, in plaintext, tc the system. The system uses the identification t(j find the 
pa^yord in the tabic, If (he password sent by rhe user matches the password in the 
tabV^cess is granted; otherwise, it is denied. Figure 14 J shows this approach. 

0 - . 

figure User ID and passwani file 



P^: Ally's s^hd password 
Paste: Faflj.woji^oi bv slain Lint 



Alice 

(claimant) 



Bub 



Pas&wunE flic 




a 



AJ LCC, 



>.■■■.■ 


i 10 


\ ^ 


Alice 


1 P A 



Pas 




► Grant 



□ 



□ 



□ 



Attacks on the First Approach ThiV^proach is subject in several kinds of attack. 
□ Eavesdropping. Eve can watch AtMiheii she types tier password, Most systems, 
as a security measure, do not ijftfyw thUWacicrs a user types, Eavesdropping can 
lake a more sophisticated form. Eve tf5©isten to the line and intercept the mes- 
sage, thereby capturing the password for K(ej)own use, 

Stealing a pas^urd. The second type of ^&ek occur* when Eve 1 tries to physi- 
cally steal Alice's password, This can be prevented if Alice does not write down 
the password and instead she just commits it tojncmory. For this reason the pass- 
word should be very simple or else related tu suWi4hing familiar to Alice. But this 
makes the password vulnerable to other types of akacks. 

Accessing a password file, Eve can hack into the sytffSm and get access to the ID/ 
password file. Eve can read the file and find Alice's password or even change it To 
prevent this type of attack, the file can he read/write protected, However, most sys- 
tems need this type of file to be readable by Ehe public. We will see how the second 
approach can protect the file from this type of attack. 

Guessing. Using a guessing attack, Eve can log into the system and try to guess 
Alice's password by trying different combinations of characters. Tlie password is 
particularly vulnerable if the user is allowed to choose a short password (a few 
characters), it is also vulnerable if Alice has chosen something trivial, suet] as 
her birthday, her child's name, or the name of her favorite actor. To prevent 



H AFTER 14 EiYl1&*A UTHEtfTFCA HON 

guessim/^Hong random pass word is recommended > something that is not Very 
obvious. Ffcswever, the use of such a random password may also create a prob- 
tem. 13 eeaus.^^ could easily forget such a password, A J ice might store a. citpy 
of it somew'heiOvhich makes the password subject to stealing. 

\ 

Second Approach yX 

A i non: secure approach W^jb store the hash of die password (instead of the plaintext 
password) in the password Any user can read the contents of the file, but, because 
die hash function is a one- waylijjncti on. it is almost impossible to guess the vaJue of the 
password, Figure 14.2 shows [hcMtuation. When the password is created, die system 
hashes it and stores the hash in uSe^password file. 

<^ 

Figure 14.2 Hashing ihe password 



P A : Alice's street pasiword 
Pass: PSSJtotJft] senl by claimant 

Alice 

CcLaLtnajif) 



Bob 
{verifier) 





Alke 











A3ic% h(F A ) 



l i :i=.s 




When The user sends the ID and the password, the system, creates, a hash of the 
password and then compares the bash value with the one stored in tht file. If there is a 
match, the user is granted access-; otherwise, access is dented, In this ci^jei-thc file does 
not need to be read protected. 

Dictionary Attach The hash function prevents Eve from gaining ac£^s to the 
system even though she has the password file, However, there is siill the possibility 
of dictionary attack. In this attack, Eve is interested in finding one password, 
regardless of the user ID, For example, if the password is 6 digits, Eve can create a 
list of G-dig.it numbers [00OUQ0 to 999999). ajid then apply the hash function Lo every 
number; the result is a list of one million hashes. She can then get the password file 
and search the second-column entries to find a match. This could be programmed and 
ruji offline on Eve's private computer. After a match is found. Eve can go online and 
use the password to access the system. The third approach shows how to make this 
attack more difficult, 



■ 



SECTION 1 4. 2 PASSWORDS *W 

\ . 

*^ Third Approach 

■ 

# rjf'*^ a PP roach is called .sjjI Ling the password. When the password string is created, 
MajaJom string, called the salt, is concatenated to the password. The salted password is 
(heyhashed. lhe. ID, the salt, and the hash arc then stored in lhe Hie. Now, when a user 
aak£J^ecess h lhe system extracts the salt concatenates it with the received password, 
maJtearnia^b out of the result, and compares it with the hash stored in the file. If there 
is a mah^access is granted; otherwise, it is denied (see Figure 14.3), 



Fifjure 



llmg she password 



F A : Alice's pajis^SridL 
S A : Alices salt >0 
Pass; Passwiml sent twfNjLi nvul* 




PtLSHwnrcl Tile 



m 




■-r. — : 


Alice 






% 







Concuicnate 



-0- 




Salting makes me dictionary attack Ai^^dilficult. If die original password is 6 dig- 
its and the salt is 4 digits then hashing is d*faa over a lti-digit value. This means fhat 
Eve now needs to make a list of 10 million > lQ]s and create a hash for each of them. 
The list of hashes has 10 jniJlion entries, and the©mparison takes much longer. Salting 
is very effective if the salt is a very Jqng random lumber. The UNtX operating system 
uses a variation of mis mefliod. 



Fourth Approach 

In the fourth approach, two identification techniques areOfibirted. A good example of 
tins type of authentication is the use of an ATM card with (persona! identification 
number). The card belongs to the category "something possessed" arid the PIN belongs 
to the category "something fr^/i", The. PIN h a password thai enhances die security 
of the card. If lhe card is stolen, ii cannot be used unless tin: PIN is known. The PIN 
number, however, is traditionally very short so it is easily remembered by die owner, 
This making ft vulnerable to the guessing type of attack- 

One-Hnie Password 

A one-time password is a password that is used only once. This kind of password 
makes eavesdropping and salting useless. Three approaches are discussed here. 



CHA PTEtt 14 Em&^A LrTH&WlCA LION 




First Appro?* 

in the first appWh, the user and the system agree upon a list of passwords Each pass- 
word" on the lisivMnbe used only once. There are some drawbacks to this approach. 
First, Che system ajjrf die user must keep a long list of passwords. Second, if ihe user 
docs not tigs the pas^Mls m sequence; the system needs to perform a long search to 
hnd the match. This s«H^me makes eavesdropping and reuse of the password useless. 
The password is valid tX^jnce and cannot be used again, 

Second Approach 

In the second approach, the u^and the system agree to sequentially updai* the pass- 
word. The user and the sy&tenyfxtt: on an original password, P ]b which is valid only 
for the first access. During the Success, the user generates a new password, P z , and 
encrypts this password with P s aMpj key. P 3 is the password for die second access. 
During the second access, the user gep^rates a new password, P 3 , and encrypts it with 
P 2 ; P3 is used tor the third access. In other words, P,- is used to create P^. Of course, if 
Hve can guess the gist password (P$ find alS of the subsequent ones. 

Th ird A pproaeh ^ 

In the third approach, tlie user and die systeiw'&eate a sequentially updated password 
using a hash function In Uiis^ approach. deganthrdevised hy Leslie Lamport, the u.scr 
and the system agree upon an original password^ and a counter, n. The system cal- 
culates h n (P 0 ), where h rj means applying a hash hincd^n n times, In other words. 

The system stores the identity of Alice, the value Q*l and the value of ir(P 0 ). 
Pigure 14.4 shows how the user accesses the system the fhsramc 

*6 



figure 1 4.4 Lamport miF.-tbf\e password 



Bob 
Cverifi-er) 



6 











4 














if- 'ay 






Origins] linrry 




Deny unoes* 



1 



Updated cnLry 



SECTION 143 CHALLkNGt-RhSrOtiSti 421 

I* When the system receives the response of the user in the- third message, it applies 
• the hash function to the value received to sec if it matches the value- stored in the entry. 
^ there is a match, access is gristed; odscrwise, it is denied The system ihen decrc- 
W the value of n in die entry and replaces die old value of the password h"(P«) with 
tli^tew value h n " ] (P 0 ). 

TWen the user tries to access she system for the second lime, (he value of the 
counWjt receives is n - I. The third message from the user is now h n ' 2 (P 0 ). When 
die sysQtf* receives this message, it applies the hash function to get b"~ l (P 0 ), which can 
he-eomp^i with the updated entry. 

The v^hfj of n in the entry is decremented each time there i$ an access When the 
value becoifftsp; the user can no longer access the system; everything must be set up 
again. For ttasTrgason, the value of n is norma Jly chosen as a large number such as 1000 

— -A, . 

14.3 CHAl£piGE-RESPONSE 

fc password authentically the claimant proves her identity by demonstrating that she 
knows a secret, the passwefal. However, because the claimant reveals this secret, it is 
susceptible to intercepdoVWthc adversary In challenge- respond authentication, 
the claimant proves that slk inow.T a secret without sending it_ In other words, the 
claimant ^x:s not send Lhe secQw to the verifier; Mil- verifier ettlk-i has iL or finds it, 



In ehallenge-r£S|M>u>ie authendWiirn, the claimant proves lhat she Iuiaws 4, secret 

without gliding It ti> thy verifier. 

O 



Tlie challenge is a time- varying v^ufcsuch as a random number or a tiincstamp 
that is sent by the verifier. The claimant wtiic* a function to the challenge and sends 
rhe result, called a response, to the verifier. Th&response shows that the claimant knows 
the secret 

— 

Tht: challenge is u iim*>- varying vaiue zr.ni by the verliicri Hie response is thu result 
of a fttaictfan applied on tti? cj^ll enfce. 



[J sing a Symmetric-Key Cipher 

Several approaches to challenge-response authentication, use symmetric-key encryption. 
The .secret here is die shared secret key, known hy both die etaimant and the verifier, The 
function is the encrypting algorithm applied on the challenge. 

First Approach 

In the first approach, the verifier send?; a nonce, a random number used only once, to 
challenge the claimant, A nonce must be time- varying; every ti mc iL is created, it is dif- 
ferent. The claimant responds to lhe challenge using the secret key shared between the 
claimant and the verifier Figure 14.5 shows this first approach. 



RAFTER t4 ENTJ&AOTilEN'flCATlOti! 
Figure 14,5 *&!ice challenge 




% 

V^a>h A Encrypted with Alice- Brvb seem 



Dnb 

(verifier 1 ! 



f 



<5 




4 




The fi rst message is not paT t of chafe ng^tesponse, it only informs (he verifier that 
the claimant wants to be challenged. The settffrid message is the challenge R h is the 
non« ramfomly chosen by the verifier (Boh)K^ a i|enge the claim*,,. The claimant 
encrypt* the nonce using the shared secret key fcW. only to the claimant and the ver- 
ier and sends the resi.lt to the verifier. The verifi ^decrypts the message. If the nonce 
obtained (rom decryption is the same as trie cue sent h*thc verifier, Alice is granted 

Note that in this process, the claimant and the verifWced to keep the symmehic 
key used m the process secret. The verifier must atso ke>trthe value of [he nonce for 
claimant identification until the response is resumed. 

The reader may have noticed that use of a nonce prevenkMfcplay of the third Dies 
sage by Eve. Eve cannot replay the third message and pretendUrL it is a new request 
for authentication by Alice, because once Bob receives the resrwf© the value of is 
not valid any more. Mie next time a new value is used. (~\ 

Second Approach 

In the second approach, the time-varying value is a timestamp, whidjTfehviously 
t h a , [BE5 wuh ilme. tn this approach the challenge mess^e is the current rimVteit from 
the verifier to the claimant However, this supposes thai the client and the genlocks 
are synchronized: the claimant knows the current time. This means that there is<S need 
for the challenge message. The first and third messaged can be combined The result is 
that authenncation can be done using one message, the response to an implicit chal- 
lenge, the current lime. Figure 14.6 show* the approach 

Third A pproacfi 

The first and second approaches are for unidirectional authentication. Alice is authenti- 
cated to Bob, but not the other way around. If Alice also needs to be sure about Bob', 
identity, we need bi^rectional authentication. Figure 14.7 shows a scheme 



ACTION 14 J CHALLENGE- RESPONSE 423 



gUri! 14.6 'FimK.iIfimp rh&Hf.n.g£ 




^a-q A Ki*crypr«d with Alice- Bob sc^rci key 



{verifier) 
3 



K 



l_l_LJ , I 



Alice, T 



Figure 14.7 BidtFZ^tfpptii tiuth<!nti<:ixlum 



A Ik*; 



Rncryp'cri wtEh Ali^c-Bo^ vtftfCl. key 



Bob 





G 



The second message R E is ihe challenge fromi3ob to Alice. In the third message. 
Alice responds to Bob's challenge and a< the sVrs^Une, sends her challenge R A to 
Boh. The third message is Bob's response, Note mat in the fourth message the order 
of and are switched to prevent a replay attack of the third message by ftri 
adversary. Q\ 

CX 

Using Keyed- Hash Functions v£X 

Instead of using eneryption/deeryption for entity authentication! we can also use a 
keyed- hush junction (MAC), One advantage to the scheme is that it preserves [he integ- 
rity of challenge and response messages and at I he same time uses a secret, the key, 

Figure 14.8 shows how we can use a keyed-hash function to creEilc a challenge 
response with a limestamp. 

Nfoce that in this, case, the timestamp is sent both as plaintext and av text, scrambled 
by the keyed-hash function. When Bob receives the message, he takes the plaintext X 
applies the keyed-hash function, and then com pates his calculation with what he 
received to determine the authenticitv of Alice, 



'UAFTER 14 E 



mlz&A UTHENIICATIQN 



Figure 14.S Keyed-Jiash fum-.thn 



Alice 
(cLaimsn 



Bob 
(verifier) 




^ ■- — 

Using an A symmetric- Key her 

Instead of a synmietric-k«y cipher^^au use am asymm&tric-^ay cipher for entity 
authentication. Here the secret must i£tbe^rivate key of the claimant The claimant 
must show that she owns the private kq^fated to the public key that is available to 
everyone. This means that the verifier mu^ucrypt the challenge using the public key 
of the claimant; the claimant then decry pk^he message using her private key. The 
response to the challenge is the decrypted cWltnge. Following are two approaches: 
one for unidirectional authentication and one ft£ bidirectional authentication 

Co 

/• imt Approach * 

In the first approach, Bob encrypts the challenge^ne Alice \s public key.. Alice 
decrypts the message with her private key and sends^lfe nonce to Bob. Figure 14.9 
shows this approach. Q 

_£k 

Figu re 1 A3 Umdmctional. 



"^6 



Alii*- 
{claimant 



OE3f>h 
{verifier) 



K A ^ Encrypted with Alices public key 



Alice 




O 



Second Approach 

In the second approach, two public keys are used, one in each direction, Alice sends her 
identity and nonce encrypted with Bob's public key. Bob responds with his douce 



SECriON 14,3 CHALLENCJE -RESPONSE 425 



^^ncrypEed with Alice's public key. Finally, Alice, responds with Bob's decrypted nonce. 
JFigurc 14. ] 0 shows this approach, 

_. 

FiKVfe 14,10 m directional asynimeiric-key 




Bt>b 



Kjj E^trypLcd with B nb n s poblit key 
K A £ Encrypted wilh Alice's public key 

& " 




"Alicitj-'R*"-- 



Bob, r Af Re- 



using DjgitaJ Signature 

Entity authentication can also be at^ved using a digital signature. When a digital 
signature is used for entity authentic atipn^e claimant uses her private key for signing. 
Two approaches are shown here, the otBe^are left as exercises. 

First Approach 

In the first approach, shown in Figure 14.1 l n ^ob uses a plaintext challenge and Alice 
signs the response. X^O 

Q 

Fi fill re 14.11 Digital signature, unidirectional autht'ritiwifion 



(cl-nJ mnrnti 

□ 



Bob 
(verifier) 




Alki: 



D 



Bob, 



Signed with 
Alice's private key 



M PTER 14 EKTllJLA (JTHENTfCA TION 

In m i&£QM approach, shown in Figure 14J2 t Alice and Bob authenticate each other. 

— — ^ . 

Flgu re 14.12 KpTgicztere. bidt national auihettiicatitm 

- <& 



Akee 




Bob 
(verifier) 



m 



Varied 
Altec ^ffi uaic key 



Alice, 5ig 



ifliilt 



Signed 




14.4 ZERO-KNOWLEDGE 

In password authentication, the claimant needs to send her s*£rcjL(the password) to the 
verifier: this i& subject to eavesdropping by Eve. Tn addition, a^honest verifier could 
reveal the password \o others or use it to impersonate thedaim*nO 

In challenge-response entity authentication, the claimant's Siec® is not sent to the 
verifier. The claimant applies a function on the challenge sent byHfce verifier that 
includes lier secrel. In some challenge-response methods, the verifier actually knows 
the da imam's secret, which eoutd be misused by a dishonest verifier. InVhcr methods, 
the verifier can extract some information about thr. .secret from ihe claimWby chees- 
ing a preplanned set of challenges. Q 

In lero^knowkdge autlientic3tiod 5 the claimant does not reveal antf£ikg «!uu 
might endanger the confidentiality of the secret. The claimant proves to the verifier that 
she knows a secret, without revealing it. The interactions are so designed that they can- 
not lead to revealing or guessing the secret. After exchanging messages, the verifier 
only knows that the claimant does or docs not have Lhe secret, noihing more. The result 
k si Uiati on , just a single bi t of i niormntion. 



is a 



In iftft&lgpledge authentication, the claimant fimvcs that she knows a semt 

wiUi yut revealing ft 





SECflON 14.4 ZERO- KNOWLEDGE J 27 



Fiat -Shamir Protocol 



Ln Lhe Fiat-Shamir protocol, a trusted third part^ (see Chapter 15) chooses two huge 
ynuMSuiiTJibcns p and q to calculaic the value of n = px q. The value of ;z.is announced 
tOyirWe public: the values of ^ and q are kept secret Alice ; the claimant, chooses a secret 
between ! and n — I (exclusive)- She calculates v = r 1 mod n. She keeps s as 
her pdt?jite key and registers v as her public key with the third party. Verification of 
Alice b^ob_can be done in four steps as shown in Figure 14. 13. 



Figure liSi^ flat-Siwmir ptvtacal 




y. Alice's 
■\r. Alii^'s : pub 



Alice 
kljinurjt'i 



Bob 
{verifier} 




y = r~ ]nod u 



Witcie^s 





» 

«, 









siiotl i 


] 




i 



o 



y 2 mod U 





Probable 



no 

Liiprobautc 



llvrsr ^ 



Alice. Ihe claimant, chooses a i>mdom uumb&r r between 0 and h - 1 (r is called the 
commitment). She then calculates the value of * = r" mod n; jc is called the witness, 

2. Alice sends x to Bob as Use witness. Q> 

3. Bob, the verifier, sends the challenge t to Alice. T©valuc of c is either 0 or 1. 

4. Alice calculates the response _v = rs c . Note that r is ffj^raiidom number selected by 
Alice in Lhe first step, s is her private key, and c is die challenge (0 or I), 

5. Alice sends the response to Bob lo show that she knows the value of her private 
key s jt. She claims to be Alice. 

6. Bob calculates J? and xv r . If diese two values are congruent, then Alice cither 
knows the value of s (she is honest) or she has calculated the value of y in some 
other ways (dishonest) because we can easily prove Lb at is the same as xv c in 
modulo n arithmetic as shown below; 



HAFTERI4 FJfEtt AUTHENTICATION 

The s. S %ps consumte a round; die verification is repeated several times with the 
value of « to 0 or I (chosen randomly). The clai™ must pass the test in each 
round to be verifi^ff she Ms one single round, the process is aborted and she i, not 
authenticated. \s<? ^ 

Ut us elabomte^ihis interesting protocol. AJice can be honest (knows the value 
of 0 or dishonest (dignot know the value of If she is honest, she passes each 
round. If she is not, sheW can pass a round by predicting the value of challenge cor- 
rectly. Two situations can (X^pen: 

1- Alice guesses that the of c (the challenge) will be 1 (a prediction). She calcu- 
Eates x - r/v md sends:? witness. 

a. If her guess is correct (c mAfcd out to be [ ), she sends y = r as the response. We 
can see that site passes ihgjeSt (y 2 = xv°). 

b. If her guess is wrong ( c trntfed out to be 0), she cannot find a value of y that 
passe, the test. She probably^ 0 r sends a. valu, that does not pa« the test 
and Bob will abort the process, \ N 

2. Alicc^ues^s that the value ofe(chal^i) will be 0. She calculates * = r 2 and sends 
x as the witness. ^\ 

c. If her guess i s correct (c turned out to<b£m she sends y = r as the response. We 
can see that she passes the test (y 2 = x^yf^ 

d. ff her guess is wrong (c turned out to beflX she cannot find a value of y that 
passes the rest. She probably quits or sends a value that does not pass the test 
and Bob will abort the process. • > 

We can see that a dishonest claimant has a SO percenSnoe of fooling me verifier and 
pacing Lhc test (by predicting the value of the challenge^other words. Bob aligns a 
probability of 172 to each round of the te.l. If the process leafed 20 times, theprab- 
abih,y decreases to tW» or 9.54 x iff* In other word».i&highly improbable that 
Alice can guess correctly 20 limes. 



col 

til 



Cave Example To show the logic behind the above protocol, gmsuuater and GuiUou 
devised the cave example (Figure ] 4 14) KJ 



Fi re 1 4,14 Cave example 







1 

1 1 

1 
















m 




■ 


■ \ 






















— ■ — ™ 




. i 



I " ' i < 



1 

m 

i 



I 



§EQTf0NJ4.4 ZERO-KNOWLEDGE 429 



Suppose there is an underground cave with a dour at the end of die cave thai can 
only be Opened with a magic word. claims that she knows the won] and I has she 
-(^&n<*pen (he door. At the beginning. Alice and Bob are standing al the entrance- (point 1). 
Y^jice enters the cave and reaches the fork (point 2). Hob cannot see Alice from the 
Entrance. Now lite game starts. 

] .y^dtce chooses to go either right or left. This corresponds to the sending of the 
wtness (x). 

2. met Alice disappears into the cave, Bob comes to the fork (point 2) and asks 
ALl«Ve£ tome up from either the right or left. This corresponds to sending the 
ehnlKjJge (c). 

3. If AlicdV^owsthe magic word (her private key), she can come up from the requested 
side. SheY^v have to use the magic word (if she is on the wrong side) or she can just 
come up wiikyit using the magic word (if she is at the right side). However, if Alice 
does not know^ie magic word, she may come up from the correct side if she has 
guessed Bob\rch;^L£nge. "With a probability of 1/2, Alice cars fool Bob and make him 
beheve that .she Knows the ma^.c word. This corresponds to the response (y), 

4. The game is repealed many Simes, Alice will win if she passes the test all of She 
time. The prababilfi^Hhat she wins the game is very low if she does not know 
[he magic word, In Otfffti words. P = [] fZ)^ where P is the probability of winning 
without knowing the ma^tc word and N h the number of times the test is run. 

Feige-Kiat- Shamir Prxrtoc^jf) 

The Fei^e- Fiat-Shamir protocol ^fs*i mi Sar to ihe first approach except that it uses a 
vector of private keys [s lt s 2i - > Rector of public keys [v-| , . *yv|3* arid a vector 
of challenges (c Xi ^ ... r c^). The priv^ffokeys are chosen randomly, but they must be 
relatively prime to H The public keys anTrtosen such that v- s» mod n. The three 
steps in the process are shown in Figure nOS, 

We can prove that y^v^y^ 2 ... is rhe^me as x: 




The three exchanges constitute a round; vcrihcatio^J repealed several times with 
the value of c's equal to 0 or 1 (chosen randomly). The claimant must pass the test in 
each round to be verified If she fails a single rounds the process is aborted and she is 
not authenticated. 



Giiilloti-Quisquater Protocol 

The Guiliou- Qui squalor protocol ss an -extension of the Fiat-Shamir protocol In which 
fewer number of rounds can be used to prove the- identity of the claimant. A trusted 
third party (see Chapter 15) chooses two large prime numbers p and q to calculate the 



'TERM Ei 




IJTBENTfCA TIQN 



Figure 14.15 fef^-Fht^hnmir pmioml 




■ • 




frlajmsuit) 





Bob 
(verifier) 





rood ft 



5f 

Yf. 



Challenge 




ft^ [C|^.^cj|. 

-A^ - J 



0 y* 



1 





value of ,j = x q, Tbs trusted party also chooses an expofleJr^hich is coprinte with 
whm *m value, of, and * are Z^&^^Z^. 

: h l ' "■J"" 8 * M is s <^<- mm in «fe case, tt* rtlfiWhip between 
and * is different: x v = 1 mod n, A 

The exchange constitute a round; verification is repeated ti m<M wiih 

a random value of r (chnlleiu^ beiwr™ 1 ^ -rw * ■ V m 

„ . 7 J_ t ^nanengLj Del we™ l and & The claimant must pass die tesi in 

each round to be verified If s b* fails a *i B gi c round, the- process is ri^Sd^J^ J 
not pothenhcated, Figure 14. 3 6 sliow* one round. aomwj^d she i. 

The equ &1 ity can be proven as sho wu below : O 



1 i nS\\ , * 




14.5 BIOMETRICS 

momotx^ is the igp^t of physical pr behavioral features that identify i 
pmor MMMj by seething uhcmjL Biometrics m^nn. features that can- 
not be guessed f stolen, or sliaied. 




SECTION M. 5 BlOMhl KK.'S 43 1 



# Figure 14.1ft Guiliou- Quisquaicr pmitn vl 



X 




.^iililip 


s key 


r. 






MfidDlE 









I'cLaimiinE) 



^verifier) 




1* 




y = fj 1 mud n 



Response 




tip 

I mprobable 



. t5 

Components O 

Several components are needed forbiomdi^^Jneluding capturing devices, processor 
and Stooge devices. Capturing devices. sue h^ fenders (or sensors) measure biometrics 
features. Processors change the measured ftitf^t^s to the type of data appropriate for 
saving. Storage devices save ihe result of procesgjnjfc for authentication. 

Enrollment • 

EMore using any biomeuic techniques for authcisiictUi; e corresponding feature of 
each person in the community should be available in the (Sybase, This is referred lo ajL 
enrollment V ^J) 



Authentication 

Authentication is done by verification or identification. 



Verification 

In verification, a person's feature is matched against a single record in the database 
(one-to-one matching) to find if she is who she is claiming lo be.. This is useful p for 
example, when a bank needs lo verify a customer's signature un a ebcefc. 



•TER 14 F„\TfTY JtpTFI ENT! CA TFOW 

% 

!<U'.ttii}H'.nh,m 

In identification, ti^tm* feature is matched gainst all records in the database (one- 
to-many matching) ts^d if she has a record in the database. This is useful, for exam- 
pic, when a company nwgjs lo allow access to the building only to employees, 

lechmqitfes 

Biometrics techniques con b^ivided into two broad categories: physiological and 
behavioral. Figure E4.I7 shows*%ral common techniques under each category 

: 

Figure 14. 1 7 Biometrics \) 




3ns 
face 

H ;■ UlLs 

Voice 

DNA 



Keystroke 



\5 



G 

Physiological Techniques ^^S 1 

Physiologic*! techniques measure the physical traits of the humanly for verification 
and identification. To be effective, the trail should be unique amona^J or most of the 
population. In addition, the Feature should be changeable due to agingjs^cry. illness, 
disease, and so on. There arc several physiological techniques. C 

Fingerprint Although there are several methods for measuring characteristics associ- 
ated with fingerprints, (he two most common are minutiae-based and imn^^ased. In 
the minutiae- based technique, the system creates a graph based on where QLidual 
ridges start/stop or branch. In the image-based technique, the system creates aVjBnage 
ot ihe fingertip and finds similarities to the image in the database. Fingerprints have 
been used for a long time. They show a high level of accuracy and support verification 
and identification. However, fingerprints can be altered by aging, injury, or diseases. 

Iris This technique measures the pattern within the iris that is unique for each person 
It normally requires a laser beam (infrared). They are very accurate and stable over a 
peon's fife. They also support verification and identification. However, some eye dis- 
eases, such as cataracts, can alter the iris pattern. 

Ketina The devices for this purpose examine the blood vessels in the back of the 
eyes. However, these devices are expensive and not common yet. 



SECHQNM.S BIOMETRICS 433 

Fate This technique analyzes the geometry of the faec baied on the distance between 
faciaS features .such as the nose, mnuLh, acid eyes. Some technologies combine ^euinel- 
-r^^ features wpth skin texture, Standard video- cameras and xhis technique suppuii both 
icarion and identification. However, accuracy can be- affected by eyeglasses, grow- 
in&Eaciiil hair, and aging, 

oiabQ This technique measures tbe dimension of hands, including the shape and 
lengi^otrihc fingers. This technique etui be used indoors and outdoor- However, in is 
better suited to verification rather than (dentin" cation. 



Yoke Vo^rt\ recognition measures pitch, cadence, and tune in the voice. It can be 
used locally ^xprophonc) or remotely (audio channel). This merbod is mostly used for 



vcriiieation. HXjwcvc^ accuracy can be diminished by background noise, illness or age. 

DMA ON A is. iTierKhenriea] found in the nucleus of ail cells of humans and mosL other 
organsims. The panep* is persistent throughout fife and even after death. It is extremely 
accurate. I Lean be used foj both verification and identification. r lrie only problem is that 
identical twins may su^tre the same DNA. 

Behavioral Techniques (\> 

Behavioral techniques nieas^!$some human behavior traits. Unlike physiological tech- 
niques! behavioral techniques (f?fcd W be monitored tu ensure the claimant behaves nor- 
mally and does not attempt to impersonate someone else. 

Signature In the past, sigxiaturcs^^re used, m the bitfikSn^ industry to verily the iden- 
tity of the check writer. There are stHJ^hiany human experts today who can determine 
whether a signature on a check Or aMocnuient is the same as a signature on file. Dia- 
metric approaches use signature tablcta-and special pens to identify the person. These 
devices not only compare the final prodojj<thc signature^ they also measure some other 
behavioral traits; such as the timing ne^E^l to write the signature. Signatures, arc 
mostly used for verification. 

Keystroke The keystrokes (typing rhythm) t^^ntquc measures the behavior of a per- 
son related to working with a keyboard. It can trj^aWe the duration of key depression t 
the time between keystrokes, number and frequency of errors the pressure on the keys T 
and so on. It is inexpensive because it does, not requkefc new equipment. However, it is 
not very accurate because the trait can change wim ijmc (people become faster Or 
slower typists). It is a] so text dependent, 

Accuracy 

Accuracy of biomctric techniques is measured using two parameters: false rejection 
rate (FRR) and fab>c acceptance rate (FAR)* 

False Rejection Rate (FRR) 

Tins parameter measures how often a person^ who should be recognized, is nut recog- 
nized by die system. VRR is measured as rbe ratio of false rejection to the total number 
of attempts (in percentage), 



TERI4 i8mnMFrHE!mCAT10N 

" % 

False Acceptart&'Ratf (FAR) 

This parameter Measures how often a person, who should not be recognized, is recog- 
nized by the systoAJRUi is measured as the ratio of false acceptance to the total num- 
ber of EtUismpts (in p£@nlage) 

Applications \? 

Several applications of biofiU-ics arc already in use. In commercial environments 
these .ndude access to facihuV^ccess to information systems, transaction at poiiU-of- 
salts, and employee timekeepiri^n the law enforcement system, they include investi- 
gations (using fingerprints orDN^nd forensic analysis. Border control and immigra- 
tion control also use softie biometn^tic-hniques. 

— ' ■ - 

14.6 RECOMMENDED READING 

The following books and websites give more details about subjects discussed in this 
chapter. The items enclosed in brackets refehrSjtbe reference list at the end of the 
book. 



Books 

Entity authentic.-: if i i.-= discussed in 

WebSites 







1 ■J 


IT 





1TW06], [Sm#, and [KPS02], 

o 

v9> 



» I 



» r »ww w^vviuj^u. <UL MilS ^ 



http://rfo.net/de2195.htmi 



14,7 KEY TERMS 

biometrics 

cbal Icnge-respunse au [ ben t i c aLion 

claimant 

dictionary attack 

entity authentic^ iun 

false acceptance- rate (FAR) 

False rejection rate (FRR) 



O 



Fdge-Fiat-Shamir protticol 

Fial -Shamir protocol 

fixed password 

GuiJ lou- Qu i squ arer protocol 

identirj cation 

nonce 

one-lime password 



- SECTION I4 r 9 FRACTICE SET 435 

/ 



pasSword something known 

password-based authentication something possessed 

>< SaIr " lg ' verification 
v^omething inherent aero-biowledge authentication 



i 




SUMMARY 

EoiAy authentication lets one party prove her identity 10 anuthcL In entity 
autMcnjkahon, a claimant proves her identity to the verifier using one of the three 
kmdfro^wunesses: something known, something possessed, or something inherent. 
U In passjrfrf.based authentication, the claimant uses a string of characters as some- 
thing shAMms. Rassword-based authentication can be divided into two broad cal^ 
egones: fi^d ami one-time. Attacks on pas sword -based authentication include 
^vesdropp^'tcaling a password, accessing die password file, guessing arid the 
djchonary attack^ 

In chaJlcnge-rcsRflAse authentication, the claimant proves that she know? a secret 
w.thoot actually s^Sng it. Challenge-response authentication can use symmetric- 
key ciphers, keyed-hash functions, asyminelric-key ciphers, and digital signatures. 

In zero-knowledge autitenticatksn, the claimant does not reveal her secret she fust 
proves thai she knows j» v 

Biometrics is the meas^nent of physiological or behavioral features for 
identifying a person using seething inherent to her. We can divide (he hiometric 
technics ,nt<> two broad eateries: physiological and behavioral. Physiological 
techniques measure the physicaHraits of the human bodv lor verifkatifct and 
identification. Behavioral taJj&fcs measure some traits in human behavior 



J 




14.9 PRACTICE SET 

Review Qucsti oils 

1 . Distinguish between data-origin authentjcatioQnd entity authentication. 

2. List and define three kinds of identification witftes in entity authentication. 

3. Distinguish between fixed and one-time password^ 

4. Wliat are some advantages and disadvantages of using long passwords? 

5. Explain the general idea behind challenge-response entity authentication. 
<5 , Define a nonce and its use in entity aut he ntication , 

attack and how il can be prevented. 
8 Distinguish between challenge-response and zero-knowledge emi ty a udtcntications. 
y. De fine biometrics and distinguish between two the bread categories oJ the techniques. 
10. Distinguish between the two accuracy parameters defined for biometric measure- 
ment in this chapter. 



- 



\ 

Exercises 

lj ' Wc discussed •fixed and one-time passwotds as two extreme. What about fre- 
quently chan^etjj&^words? How do you think ihis scheme can be irnplemerifedS 
What am the advu*l%es aJid disadvantages? 

12 How can n system p^-nt a guessing attack on a password? How tuna bank ptc- 

vent PIN guessing if has found or stolen a bank card and tries to use It? 

||i Show two more exchang^pf die authentication procedure in Figure 14.4. 
] 4, What are .some disadvanta^of using die timestamp in Figure 14.6? 

15. Can we repeat the three messmates in Figure 14.5 to achieve bidirectional authentic 
cation ? Exp lain. \ + 

16. mm how authentication in FigWl4,5 can be hone using a keyed-hash function. 

17. mm? how authentication in FiggitfTAT can be done using a keyed-hash function, 

18. Compare Figure 14.5 and Figure M.Un^make a list of similarities and differences. 
[9. Compare Figure 14.7 and Figure U.loWraafcs a list of similarities and differences. 

20. Can we use a tiinestamp with an asymmkn^key cipher to achieve authentication? 
Explain. { 

21 . Compare and contrast Figure 14-13. Figure f£*i and Figure 14. 1 6 r Make a list of 
similarities and differences. ^ 

22. Redo the cave example for the Feige-FiaL-Sham^otocal 

23. f'OJT p = 569 n q = 683. and $ =s 157, show three rounds of the ffet-Sharnir protocol 
by calculating the values and rilling in ihc entries oiVMrfe. 

24. Fur/A = 6&3, q = 81 1, ^ = 157, and j 2 = 43215, showj*n\:e rounds, of the Feige- 
Fiat-Shamir protocol by calculating the values and fillisWii the entries of a table. 

25. For p - 683, q atj$] 1 r and v = 1 % show three rounds oflthe GuiUou-Quisquater 
protocol by calculating die values and filling in the entriesW^rable. 

26. Draw a digram to show the general idea behind the three pMtacol* discussed in 
this chapter Tor zero- know I edge authentication. 

27. In the Hal-Shamir protocol, what is the probability that a dishoiQ jdaimart cor- 
rectly responds to the challenge 15 times in a row? 

28. la the Fdge-Fiat-Shamir protocol, what is the probability that a dishotest claimant 
correctly responds to the ebaHenge 1 5 times in a row? (~\ 

2V. In the Guillou-Quisquater protocol, what is the probability that a dishonesEfG^ant 
correctly responds to the challenge 1 5 times in a row if the value of the ch 

selected between I and 15? 

■ 

30. in the bidirectional approach to audientiearion in Figure 14.10 if multiple session 
authentication is allowed, Eve intercepts the R B nonce from Bob (in the second 
session) and sends it as Alice's nonce for a second session. Boh, without checking 
ilias this nonce is (he same as the one he sent, encrypts R B and puts it in a message 
with his nonce. Eve uses the encrypted R B and pretends that she is Alice, continu- 
ing with the first session and responding with the encrypted R H . This is .called a 
reflection attack. Show the steps in this scenario. 



:e 




K$$Management 




Thi s chapter has<s^veral obj ecti ves ; 

□ To explain theNie^ for a key- distribution center (KDC) 

□ To show how a KDC can create a session key between two parties 

□ To show how two j^ies can use a symmetric-key agreement proto- 
col to create a scssioAtkey between themselves without using ihe 
s erv i ces of a KDC ^ 

□ To describe Kerberos as^C DC and an authentication protocol 

□ To explain the need For ccttjjSfcation authorities (C As) for public keys 
and how X-509 recommena^tiyn defines the format of certificates 

□ To introduce the idea of a Publ^Key Infrastructure (PKI) and explain 
some of its duties f C\ 

Previous cha P .er S have discussed tf&netric-key aid asymmetrickey 
cryptography; However, we have not @t discussed how secret keys in 
symmetric-key cryptography, and pub limeys in asymmetric -key cryp- 
tography, are distributed and maintained. 3This chapter touches on these 
two issues. Q 

We first discuss the distribution of syrnmeti@keys using a trusted third 
party. Second, we show how two parties can e^blish a symmetric key 
between themselves without usniu. a l rusted thud party. Third, we intro- 
duce Kerberos as both a KDC and an authentication protocol. Fourth, we 
discuss the certification of public keys using certification authorities (CAs) 
based on the X. 5 09 recommendation. Finally, we briefly discuss the idea 
of a Public -Key Infrastructtire (PKI) and mention some of its duties. 



437 



AFTER 15 K5rt^JAGEMEXT 

15.1 SYJV^IETRIC-KEY DISTRIBUTION 

Symmetric.^ crtf^graphy is more efficient than asymmetric-key crymo^nhv for 

fcSS i f P e °^ edt0C0 ™^^ w'th each other? A tola] of ^ n 

tions. rhis mi.,™ ihni rf one tmm*f pwpfc need to communicate with each other each 
person has almost one million different kew ih rm=.r ,i , mer ' 
needed. This is normally referr^llfch, k alm ° St u C>ne tn! " on k ^ 
key, for ,V entities is 7. ^ F ^ 1 "™ 0,6 of 

The timber of keys is not the ont^blem; Ihe distribution of kev S g another If 
Alice and Bob want to communicate, the^d a way to exchange a 

I~ £ g ' gj - gf - ^ ^ 'can S2S5 
w th , one millmn peopie? Using the Internet Vrf-finitcly not a secure method It is ohvi 
ous lh at we need an efficient way to n^tain^btribute secret keys. 

Ke y- D S s t ri h i ifj on Center: KDC (V) 

t^cf J?2£8 £ ° f 3 r "? * « - key distribution 

*En? T*" ° f ^ W* 1 **** a shared S 

Key with tfieKDQ as shown in Figum 15.1. \> 

I'lEiir* 15,1 Key-distribution center {KDC} 



K 





KDC 




En 



o 



key ^iTe ^ Sg8§gg££ ^ r ' AliCe * a » 

which we refers ^d'^^^ 

denE.al 1(Hasage [G Bob . Il]e pmcess ^ as ^ ^ Alice can iC nd a conn- 

L AliCe f nd ' a t0 [be K »C stating that she needs o session ftemnorafvl 

secret key between herself and Bob. temporary) 

2. The KJX: informs Bob about Alice's request. 

3. Tf Bob agrees, a session key is created between the two. 



SECTION 15. I SYMMETRIC* KEY DISTRIBUTION 439 



The secret key between Alice and Bob that is established with the KDC is used to authen- 
ticate Alice and Bob to the KDC und to prevent Eve from impersonating either of them, 
discuss how n, session key is established between Alice and Mob later in the chapter, 

FI^Muiiipk KDCs 

Wher^he number of people uaing a KDC increases, die system becomes unmanageable 
and a frmlcneck can result, To solve (he problem, we need to have multiple KDCs. We 
can divikVthe world into domains. Each domain can have one or more KDCs {for 
rcdundanc^vn case of failure). Now if Alice wants to send a confidential message to 
Bob, who hfclmigs to another domain, Alice contact her KDC which in turn contacts 
[he KDC in Bojptf domain. The two KDCs can create a secret key between Alice and 
Bob. Figure t$&to®sv$ KDCs all at the same level We call this fiat multiple KDCs. 




Figure 15,2 Ftet laj^ffifc KDCs 




Hierarch kai Multiple 1 KI) Cx Q 

The concept of flat multiple KDCs can fcgQM ended to a hierarchical system of KDC^ 
with one or more KDCs at the top erf the {^archy. For example, there can be local 
KDCs n national KDCs, and international KD^^^Tien Alice needs to communicate with 
Bob, who lives in another country, she sends her/fflouest to a local KDC: the local KDC 
relays the request lo the national KDC; the nationSdnffiC relays the request to an interna- 
tional KDC, The request is then relayed all the wsfy down to the local KDC where Br>b 
lives. Figure 15.3 shows a configuration of Merarcliioti multiple KDCs. 

O 

Session Keys O 

A KDC creates a secret key for each member, This secret E^can be used only between 
the member and the KDC, not between twp members. If Alice needs lo communicate 
secretly widi Bob, she needs a secret key between herself and Bob. A KDC can create a 
session key between Alice and Bob, using, their keys with the center. The keys of Alice 
and Bob arc used to authenticate Alice and Bob to die center and to each other before 
the session key is established, After communication is terminated, the session key is no 
longer use hi] 



A session symmetric key butwiiCEi iwu parlies is ukrH only once, 



itf 15 KEV MJ&AGEMENT 



j 

Figure 15.3 Hi wrrcJi fraf multiple KDCs 

<F 



In-t-riniriosiiiil KDC 



2 



National KDCs 



Local KDCs 



Ai:Ci: 




Several different approaches have been proved to create the session key using 



ideas diseussed HI Chapter ]4 for entity authentic® 

■ 

A Simple Protocol Using a KDC 

Let n$ see how a KDC can create a session key beE>£$^hce and Bob. Figure 15,4 
sEuiws the- steps. V 





'-6 



Figure 15.4 firsi appwack using KOC 



OF Eirtryptcd with At£c«-KDC sccrci Icity gjj ,S*iTsiuii Ley berween A lite -oj^^c 
K p ^ Encrypted with Bob-KDC secret lay KDC: Key-distribaliDD center 





Alice, Bob 




I" 




SECTION m J SYMMETRIC-KEY DISTRIBUTION 44 1 



L Alice Sends a plaintext mc^a^ to the KDC to obtain a symmetric session key 
between Bob and herself. The message contains her registered identity (the word 
\jl Alict in the figure) and the identity of Bob (the word Bob in the figure). This mes- 
"Os-age is noL encrypted, it is public. The KDC does not care. 

2, (^ie KDC receives the message and creates what is called a tkkeL The ticket is 

^rt^ypled using Rob's key (K B ). The ticket contains the identities of Alice and 
BlfJWid the session .key (K AB ). The ticket with a copy of the session key is sent u> 
AlLCe^Ahcc receives the message, decrypts il, and extracts the session key. She 
cann&Nteerypt Bob n s ticket; the ticket is for Bob, not for Alice. Note that this 
mess a^S^Son tains a double encryption ; Hid ticket is encrypted, and the entire mes- 
sage is ai^ entry pied. In the second message, Alice is actually authenticated to 
the KDC, Ij^^vnise only Alice can open the whole message using her secret key 

with KDC. ^rv 

3. Alice sends tnejS^ket to Bob, Bob opens the ticket and knows that Alice needs 
to send messages u^him using K Ay as the session key. Note that in this mes- 
sage, Bob is authenticated to the KDC because only Bob can open the ticket. 
Because Bob is authenticated to the KDC. he is also authenticated to Alice, who 
trusts the KDC. In t^s arnic way,, Alice is also authenticated to Bob, because 
Bob trusts the KDC and-ifce KDC has sent Bob the ticket that includes the iden^ 
tity of Alice* /^v 

Unfortunately, this simple protocol lias a flaw, Eve can use the replay attack discussed 
previously. Thai is, she can save fhe^foessagc in step 3 and replay it later. 

Np-edham-SchrOtider Protocol Q 

Another approach is the elegant N^dh^^chrocder protocol, which h a foundation 
for many other protocols This protocol L]^e€\mnltip!e challenge-response interactions 
between parties eg achieve a flawless projpiol. Needlsam and Schrocdcr uses two 
nonces : R A and R E . Figure 15.5 shows the fivWteps used in this protocol. 
We briefly describe each step: 

1 . Alice sends a message to- the KDC that includes her noncc r R A? her identity; and 
Bob's identity, • 

2. The KDC sends an encrypted message to Ali@-th.at includes Alice's nonce, 
Bob f s identity, the session key, and an encrypted @tct for Bob. The whole mes- 
sage is encrypted with Alice's kcy r y^l 

3;. Alice sends Bob's ticket to him, 

4. Bob sends his challenge to Alice (R B ), encrypted with the session key. 

5, Alice responds to Rob's challenge. Note that the response canies R^ - I instead 
of Rft. 



Ortvay-Ree^ Protocol 

A third approach is the Gtway-Rees protocol, another elegant protocol. Figure 15.6 
shows this five-step protocol. 



Eft f$ £EF MA&f&EMENT 




Fi £ii re 1 5,5 Neetjfumi-Schmvder protocol 



K. 



^ ah A Encrypted wilKft 



b-KDC ££CrcL key 



KDC: Key-distribution ceniftF 
R^: rtJ;tcc"s nones 

R^; Bomb's nonce 



Alice 




Encrypted: wilfi ^e-Bqb session ksy 
|| Session key hctw&ZS^Iicc a m j Bob 

V 



Bob 



AJiue. Lhhh. R, 



- 



R^ Bob. 



■E 



o 





— 



KDC 




Y.cktf for Bob 




T'k^M for Boh 



0 




o 



^6 



6 



O 



The following briefly describes the steps. * ^ 

1 . Alice sends a message to Bob thai includes a common nance, R, the idfewtiiics of 
Alice and Bob, and a ticket for KDC thai includes Alice's nonce R A (a chalkfce for 
the KDC to use), a copy of ilie common nonce. R, and the identities of Alice ant£Bob, 

2. Rob creates the same type of ticket, but with Ms own nonce R B . Both tickets arc 
sent to the KDC. 

3. Tbe KDC creates a message that contains R, the common nonce, a ticket for Alice 
and a tickeL for Bob: the message is sent lo Bob. The tickets eon tain the corre- 
sponding nonce, R A or R Rt and the session key, K^. 

4 . Bob sends ATi ce her ticket, 

5. Alice sends a short message encrypted with her session key K m \o show that site 
hus the session key. 



V 



SECTION 15.2 KERBEKQS 44? 



% fl £u re 1 5.6 OfH^^F^ protocol 



Encrypted wiib Alie^JCDC Secret key 



Encrypted wjsh Bob-KDC BECrcL key 
> 0 & t™ i « < - . 



8 



with ALLw-tkib session key 



KDC; Key-distribution wciilt 
K A : Nonue from Alice In KDC 
R B : Nonce from Bab to KDC 
H Collision :r:iv L 



Alice 



Sestf&ti key beiween Alice aod Bab 



Bub 




9s 



15.2 KERBEROS 

Kcrbenos is an authentication protocol, and at the same time a KDC, thai has become 
very popular. Several systems, including Windows 2O00, use Kcrberos. It is named 
after the three- headed dog iu Greek mythology that guards the gates oi Hades. Origi- 
nally designed at MTT. it has gone through several versions. We only discuss version 
4, the most popular, and we briefly explain the difference between version 4 and ver- 
sion 5 (the latest). 



\PTERJ5 mn^AGEMEKT 

\ 

Servers ^ 

Three servers areLKyolved in the Kcrheros protocol: an authentication server (AS), a 
ticket-granting aeftWrGS). and a real (data) server that provides services to others, In 
Out examples; and figfliQS, Boh is the reai server wA Alice ifi the user requesting service. 
Figure 15 J shows Th^^^ionship between these three servers, 



Figu re 15,7 Kerptms sen* 



IS 



AS: Au thecLticttti a n w^v? 




User t Alice} 

m 



^^"IJckct-prafiling server 

vn 



Server {Bob) 



KDC 





KequRtf iicke,t for TGS 



AliCr-TGS sessimi Jcey 
and tkfeei forTGS 



11 



-9 



RjequcisL ticket for Bob 



Alice-Bub Rtssjon toy wid LickcL for Bub 




Request access 



O 



. — 


Grant access 




* 1 



4 uthenJicativn Server (A S) \\ 

The authentication server (AS) is the- KDC in the Kerberos protocol. Each user regis- 
ters with the AS and is granted a user identity and % password. The AS has a database 
with these identities and the corresponding passwords. The AS verifies the user, issues 
a session key to be used between Alice and the TGS, and sends a ticket for LheTGS, 

Ticket-Granting Server (TGS} 

The tieket-gr anting server (TGS) issues a Eictet for die real server [Bob), It also 
provides the session key (K AE ) between Alice and Bob. Kerberos has separated user 



SECTION 15.2 KERBEROS 445 



verification from the issuing of tickets. In this way T though Alice verifies her ID just 
Once with the AS. she can contact the TGS multiple times to obtain tickets for different 
I^S^ervers, -, 

The ra^ci'ver (Bob) provides services for the user (Alice;, Kcrbcros is designed for a 
client-s^tr program, such as iTP, in which a user uses the eheni process Lo access die 
server pmpess. Kerheros is not used for person-to-person authentication. 

A client proces^ftliuc) can access a process running on the real server (Bob) in six 
steps, as shown irtTkure 15.8. 

1 . Alice sends herip^acs.£ to Lhe AS in plain text using her registered identity, 

2. The AS sends a message encrypted, with Alice's permanent symmetric key, K A . A5 , 
The message conttfn^wo items: a session key, K A , 1XJS , that is used by Alice to 
contact the TGS, an<Onicket for die TGS that is encrypted wsth the TGS symmet- 
ric key, K A j5_ TCS . Alic^pJoes not know K AtASt but when the message arrives, she 
types her symmetric password. The password and the appropriate algorithm 
together create K A-AS if th^B&sswonJ is correct. The password is then immediately 
destroyed; it is not sent to we network and it does not stay in the terminal. It. is used 
only for a moment to creatc^K^^, The process now uses K A _ A <j to decrypt the 
message scni. K A .-^ a and She ticket are extracted. 

3. Alice now sends three items to ^<TGS. The first is the ticket received from the 
AS. The second is the name of the ^Q) server (Bob), the third is a rimestamp that is 
encrypted by K A ,jQg. The tijncstwtp'pjcvents a replay by Eve. 



4. Now, the TGS sends two tickets, eachr^ntaining the session key between Alice 
and Bob, K A _ E . The ticket for Alice ij^acrypted with K a _tgs; the- ticket for 
Bob is encrypted with Bob r s key, KTGS*v Note that Evc cannot exiract K Ah 
because Eve doe*> not know K A _ r o& °^J£>s-b She cannot replay step 3 
because she cannot replace the timestamp <£im a new one ("she does not know 
^A-TGs)- RvcE ^ sne ls Vfil 7 quick and sen^ the step 3 message before the 
timestamp has expired, she still receives the same two tickets that she cannot 
decipher. v ^ 

5. Alice send*, Bob's ticket with the tirncstarnp encrypte^fey K A . B , 

6 r Bob confirms the receipt by adding 1 to the timestamprTThe message is encrypted 
with K a _b and sent to Alice. 

- 

Using Different Servers 

Note that if Alice needs to receive services from different servers, she need repeat 
only the last four steps. The first two steps have verified Alice's identity and need 
not be repeated. Alice can ask TGS to issue tickets for multiple servers by repeating 
steps 3 to 6. 



Q TER f5 KEY ^iNAGEMENT 



•17 IV L L 



Figure 1 5.8 Kvrbertfyxtimpte 

v- 




LLraiiE->'pci;d wjili Alice-Jloh u^uu k&y 




A TG5 

jjjj Alite-TGS session key 
AB 

y Aiice-HoTi scroti key 

KiXJ: K,cy-tli Strib^ciofl center 
j\S: AtiLhcnttCiJCtiOTS servir 
TGS: TitkcL-^j-jjmiii^ ^i vlt 
T: TifflfestiiKip tnonL'i;? 



Server (Bob) 









V 






















J"" 












.■i 


. -■."I 


1 



















Tiukei fnrTijS 



K 




k T<.^-H 



ft. 



■;AB ■ 



Ikkci lev Ali i r 



El 



D 

o 





o 

o 













< 




| 


i . 

1 


E 











SECTION S5J SYMMf-TMC-KEY AGREEMENT 447 



Kerberos Version 5 

The minor differences between version 4 and version 5 are briefly listed below; 



. Version 5 has a longer ticket lifetime. 



^\ Version 5 allows tickets to be renewed. 
5^^crsk>n 5 can accept any symmetric-key algorithm. 
4, v 5fej"sion 5 uses a different protocol for describing data types. 
% ve^sjon 5 has more overhead than version 4, 

Realms y> * 

Kerberos alfc^s the global distribution of ASs and TGSs h with each system called a 
rzatm. A user set a ticket lor a iota.1 smvzv or a remote server. In the second case, 
for example, Anc^nay her local TGS to issue a ticket that is accepted by a remote 
TGS. Hie local TGSjcan issue Ms ticket if the remote TGS- i| registered with the local 
one. Then Alice caYu^ the remote TGS to access the remote real server. 

% 



1 53 SYMMETRIC-KEY AGREEMENT 

Alice and Bob can create a^ession key between themselves without using a KDC. This 
method of session -key creStiga is referred to as the symmetric -key agreement. 
Although there are several waytlA accomplish this, ontv two common meihods r Ditne- 
Heliman a J ad station- to-s-tation. dterfiscussfid here. 

O 

Diffie-HeUman Key Agrt^nic^ 

In the Difiie-Hellman protocol two pmj^ create a symrnetrk; session key without 
the need of a KDC. Before establishing symmetric key. the two parties need to 
choose two nu mbers p and g. The first nQfcber, p r is a large prime number on the 
order of 3(H) decimal digits (1024 bits). TJie^&ond number, g, is a generator of order 
p - I in the group <Z^ m x>„ These two (group and generator) do not need to be con- 
lidentiaL They can be sent through the Internal: they can be public, l igure \5 .9 
s how s the procedure. ^ 
The steps are as follows: v-/. 

1. Alice chooses a large random number Jt such sfepO < x < p — I and calculates 

R t = $f mod/;. 

2. Bob cru>oses another large random number _v such that 0 < y < p - ] and calculates 
R2 = £" V mt ? Q P- 

3. Alice sends R T to Bob, Note that Alice does not send die value of x; she sends only R [ r 

4. Bob sends R 2 to Alice. Again, note that Bob does not send the value of y, he sends 
only R^ 

5. Alice calculates K ■= {fL 2 f m &d p. 

6. Bob also calculates K = (R^" mod p. 



FER /Ji KEYM^AGEMENT 

\ 

— ^ 

V\ gure 1 5.9 Dt^-Hellman method 

9 




Boh 



The values of 
p mid £ art public. 





— I^SIS 





— |>:.:. 

— 




K is the symmetric key fur the session. 





Bob has calculated K - (R^ mod p = (g* mod f$ mod jfaf* mod p. Alice has 
c a Ecu fated K = [R 2 f mod p.s (g? mod mod = g# mo v S > D^oth have reached 
the same value without Bob knowing the value of x and withtfiiuMice knowing the 
value of y. 

' o 

* 

The -symmetric (shar^i) key hi the DirTie-Hellmaii iKLlhod is K =^ mod 



O 

Example I5J - O 

Let us give a trivial example to make tbc procediw dear. Our example uses small R\i^k f but 
note that in a real situation, rh^ number s are very large. Assume rhat£ = 7 an<| p =: 23. The sieps 
arc as follows: 

1 . Alice chooses x = 3 ami calculates R } - 7 3 mod 23 ^ 2 K 
2* B Ob chooses y= 6 and calculates R z - 7 6 mod 23 - 4. 
3. Alice sends me number 21 id Bob. 
4+ Bob sends the number 4 io Alice. 
5, Alice calculuses the synirtietrit: key K - 4^ mod 23 = IK. 
0. Doh calculates trie .symmetric key K = 21 5 mod 23 - IS. 
The value of K is ihe .same for both Alice and Hob; mod p - 7 1 * mod 35 ~ 18. 



SECTION 153 SYMMETRIC -KEF A GREEMEfrT US 



Example 15:2 

Let us give a more realistic example. We used ii program iu crr^tce a, random i^inger of 512 bii$ 
vj * ^the ideal is 1024 bits). The integer p is a 159-digit number. We also choose ^ n and y as shown 
^low: 



W14738700999 178043 




The folKov^^. shows the values of R 2 . and K. 



1 

Ri 



3 



K 



8449202 
6195592EO: 

#6602015^5 




1 



It 



700802 1 3} SSS290945 1402 175003 1 99733 12?45ft3 60&382 1943065- . 

'$f(>0 1 143^ 7 1 S2<M^(MOi«'l-S7^8e^ 17538*] I.6534^'i0|^^libfi7 2 1 508549 
"6255201 2Kfi5&-H 43 




1 5 <ftf M(K)(M645222905^225^l5232707652l3^ 1 Sti^944423fi7S?2033W)Q.l 46406 
5 WtZitft frtf 1 ^iW42ffi$fctiQH 3 27 9 1 1 O^JH^ Q&765&42W 




BSBhH 



The Difne-Hellrnim concept, show£h Figure 15.10, is simple but elegant. We can 
think of the secret kev between Alice Bob as made of three parts: # p x, and y. Hie 
first part is public. Everyone knows I/^t)thc key; g is a public value. The other two 
parts muM be added b;y Alice and Bob. Ea^>pf them add one part. Alice adds x as the 
second part for Bob; Bob adds y as the secoru^art for Alice. When Alice receives the 
273 completed key from Uob, she adds the last part, her je, to complete the key. When 
Bob receives the 2/3-compEeted key Fmm Alice? he adds; the last part his y, to complete 
the key. Note that although the key in Alice's haii^onsists of g r y\ and x and the key in 
Eoh\ hand consists of g f x f and y* these two keys aj(e)he same because g** = 

Note also that aJ though the- two keys are the satf^ Alice can not find the value y 
u&ed by Bob because the calculation is done in modulrfpi A3 ice receives mod p from 
Bob, not g?. To know the value of y, Alice mnst use the discrete logarithm that we dis- 
cussed in a previous chapter. 

Securiiy af Diffle-I I oilman 

The Difhe- Bellman key exchange is susceptible to two attacks: the discrete logarithm 
attack and the inan-m-the-i ruddle attack. 

Discrete Logarithm Attack The security of the key exchange is based on die diffi- 
culty of tbc discrete logarithm problem, Eve can intercept ftj and R^. If she can find x 



BR 15 KEYM^&^EMEm 1 

— -4^ 

Figure 15.10 DiJ^.-HeUm^ 





/r\ 1 /"J of the key i& public 



Alice fil!ls up tunxhcr 
E/Iinf the secret key 
nsi[i^ her Misdom 
iiimil^r 



She saidsrmS 
key So Bern 



He sends 1 he 
fcey [q Alice, 



I 



Alice completes 
tits key hy n Jding 
the part 




Bob filk up nnc4hcr 
i>f the secrcr kfty 
using his nindum 
number 



'['he two keys are tf 
J>eCiluse il does not mflfl/rT) 



Eob etunpletes 
the key by isdtCinj; 
ihc IoaL jwm 



frO 




i«^gf; prime factor 

o 



»5 3? Sr - a ,V i r ° m & = $ p ' rhtn * he B*^ c vi!ate "he svmineuic 
key K _ A mod p L The secret key is not secret anymore. Tcf p^c DiMe-HdlmflPi safe 
from the discrete Eog^dchni attack, the following are recomm 
I - The prime/j must be very large (tnore than 300 decimal d 

2. The prime p must be chosen such thai p - 1 has at least 
(more than 6fi decimal digits*), 

3. The generator must be chosen from the group <Z p * r x >, _ 

4. Bob and Alice must destroy x and v after rhey have calculated the ^metric key. 
The vaJues of t and y must be used only once. # 

Man-in-Uw-Middle Attack The protocol has another weakness Eve d«Q,t h 
to hnd the value of x and y to attack the protocol. She can foo] Alice and BolQ, cre- 
ating two keys: one between heradf and Aiicc T and another between heoclf antfkob. 
Hgurc ]5A] shows Ehc situation . < 
The following cm happen: 

1 . Alice chooses x T calculates R t = g x mod p h and sends ^ to Bob, 

2. Kve T the intruder, intercepts R,. She chooses z, calculates R 2 = mod p and sends 
\<- 2 1l> bmh Alice and Bob. 

Bob chooses 3| calculates R 3 = ^ mod Pi and sends to Alice, R, is intercepted 



ave 



by Eve and never reaches Alice. 
Alice and Eve calculate K, - g* nK>d p r which becomes a shared kev between Al 
and Eve. Alice, however, thinks tliai u h a key shared between Bob and herself. 



ice 



Sl-XTKhV i X 3 SYMME'I RiC-KEY A QREEMENT 45 1 



FLgu re 15.11 Mux - m-ihc-middle attack 



% 



2 





K 






El 







Eve 

a 




4 




Rl - V L m--nl 




R n ~ mod /3 



Aiico<tt\c Key 

-V- 




-■ i ■ 





L" vc-Bob- Key 

H 




5. live and Bob calculate — ^ mqd^Xwhich becomes a shared key between live 

and Bob. Bob, however, thinks that it i^fcey shared between Alice and himself. 
In other words^ two keys, instead of one. axca/created: one between Alice and tive + one 



between Eve and Bob, When Alice sends dai 



arte Bob encrypted with {shared by 



Alice and Evc) T St can be deciphered and read Eve can send Ihc message to Boh 

encrypted by K 2 (shared key between Fve and fifab); or she can even change the mes- 
sage or send a totally new message. Bob is fooled into believing that the message has 
eornc from Alice, A similar scenario can happen to A(jc3fc in the other direction. 

This situation is called a man-in- the- middle £Ttack because Eve comes in 
between and intercepts R[ r sent by Alice to Bob, and Iy(f)sent by Bob to Alice. It is 
also known as a bucket brigade attack because it resewfoles a short line of volun- 
teers passing a bucket of water from person to person. The next method, based on ttie 
Diffie-Hcllman uses authentication to thwart Jhis attack. 



Slaliim-lu-Station Key Agreement 

The static n-to-stat son protocol is a method based on Diffie-HellmEUi. It uses digital 
signatures with public-key certificates (see the next section) to establish a session key 
between Alice and Bob, as shown in Figure 15,12. 



iPTER 15 KE3F 




'AGEMEA'T 



Figure 15.12 jitation-^statton key agreement method 



K « Encrypted with session lecy 



0 



The yaluas oF 





Fires 



R ? - Bob's Gertife 






Vttify Bob's SsgTiiJirurc! 



Third 
message 



e 



Signed ft y E ob's pnvatc key 



Second 
message 



Verify A^ce's sKgnatujnt 



O 



Signed b^Alicr'a privaLe kev 

^ f 

ITie following shows the steps; 

*5 

□ After calculating R 3 . Alio: sends R fc to Bob (steps 1 and 2 in(f|^ure 15.12). 

Cl After calculating R^ and the session key p Bob concatenates A3 i<^ ID. R^andR 2 , 
He then signs the result with his privale key. Bob ngw sends R^ n j£ie signature, and 
his own. public-key certificate to AticeThe signature is encrypted with die session 
key {steps 3 t 4 + and 5 in Figure 15.12). 

After calculating the session key, Lf Bob's signature is verified, Mce^a^cateiiates 
Bob*s ID, R L? and She then signs the result with her own private key an*£sends it to 
Bob, The signature is encrypted with ibe session key (steps 6 T 7 n and ft in Figure Li. 12). 

J Tf Aliens signature is verified, Bob keeps the session key (step 9 in Hgurc 15.12), 
Security of Statum*t&-$tati&n Protocol 

The station- to-sLation protocol prevents man-in-tbe-nuddle attacks. After intercepting 
Ri> Eve cannot send her own R^ to Alice and pretend it is coming from Bob because 
Eve cannot forge the private key of Bob to create the signature — die signature cannot 
be verified with Bob's public key defined in the certificate. Fn the same way n Eve cannot 
forge Alice's private key to sign the third message sent by Alice. The certificates, as we 
will see in the next section, arc trusted because they are- issued by trusted authorities. 



skctio v 15. y runuc-M: y P-<nwt*:no\' 433 



4* ISA PUBLIC-KEY DISTRIBUTION 

# f r R as ^ minctri<; - ke y cryptography, people do not need to know a symmetric shared key. 
MfMce wants to send a message Lo Bob, she only needs to know Bob h s public key, 
itf^h Open to the public and available to everyone, tf Bob need;; to send a message 
to be only needs to know Alices public key, which is also known lo everyone In 
pubh^y cryptography, everyone shields a private key and advertises a public kev 

© — : — 

nuaoblie-kev cryptography, everyone access to everyone's public kty< 
vV public keys am LLVuiEablp to the public 

^ — 

Public ke^£fike secret keys, need 10 be distributed to be useful, let us briefly dis- 
cuss the way pu^ keys can be distributed. 

Public AnnouA^tnent 



The- naive approach fc to announce public keys publicly. Bob tan put his public key on 
his website or anncuncf^in a local or national newspaper. When Alice needs to send a 
confidential message to ^ob p she can obtain Bob's public key from his site or from the 
newspaper, or even send a ^psage to ask for it. Figure 1 5 J 3 shows the situation. 

Figure 15.13 Announcing *i key 



\3 



K i t 



This approach, however, is not secure; it is subject Id forgery, For example, Eve could 
tnake such a public announcement. Before Bob can reatfrdamage could be done. live can 
foo] Alice into sending her a message that is intended forEeb. Eve could also sign a docu- 
ment with a corresponding' forged private key and make e4eA»ne believe it was signed by 
Bob, The approach is also vulnerable if Alice directly reque^tf Bob's public key, Eve can 
intercept Bob n s response and substitute her own forged public key for ftofa T s public key. 

Trusted Crater 

A more secure approach is to have a trussed center retain a directory of public keys. The 
directory, like the one used, in a telephone system, is dynamically updated. Each user can 
select a private and public key, keep the private key, and deliver the public key for inscr^ 
tion into the directory. The center requires that each user register in the center and prove 
his or her identity. The directory cart be publicly advertised by the trusted center. r lbe cen- 
ter can also respond ro any inquiry about a public key. Figure 15. 14 shows the concept. 



AFTER 15 KW&^GEMFm 

ZZ 7 ^> 

I'Jgurc 15.14 Jrmiedcm^r 



\ 

Director 



\ 

1 

\ 

\ 

1 


1 f 

s 


■ 
■ 

1 ■ 


■ 
■ 


. . 1 _ ,_ _ 








: 


■ 

■ 











Trusted center 



\5 



Controlled Trusted Center 

A higher leva! of purity can be achieved if there are addetHptrols on the distribution 

1 n H h T an ™«* * "tnestamp and be 

MgnLd by an fwfoonty to prevent interception and modi fie atkft the respond. If Alice 
needs to kn ow Bob's public key, she can send a request to tbijfeoter including Bob', 
name and a fmestamp. The center responds with Bob's public l«Ac 0 „o in;] ! * ' * 
•nd the t.mestamp signed with the private key of.be cenL Alicc^c pubfiX of 
the center, known by all r to verity the timcstamp. If the timestaJni^ verified she 
extracts Bob's public key. Figure 15. 15 shows one scenario. < 

Certification Authority Q 

The previous approach can create a heavy load On the center if the number 
is large. The alternative is to create p.ibljc-key certificates. Bob wants two tl&rfks he 
want, people to know his pnbiie key, and he wants no one lo accept a forged pnblfc key 

i " ItM hr a ?° 10 " Certmcation ™ lh ™ty » fc*"fl or state organization that 
bnidi, a pubhe key to an entity and issues a certificate. The CA has a well-known public 
key fed that cannot be fo^ed. The CA checks Bob's identification (uai^ a picture ID 
along Willi other proof). It feat asks for Bob's public key and writes it on the certificate 
To prevent the ceruhcate itself from being forged, ±e CA signs the certificate with its 
pnvatc key. Now Bob can upload the signed certificate. Anyone who warn* Rob's nub- 
hc key download, the signed certificate and uses the center's public key to extract 
Bob s pub be key. Figure 15J6 shows the concept. 



v 



SECTION 15.4 PUBLIC-KEY DmfiimiTION 455 



Rure 15J5 Controlled trusted center 



V. 



DLrccLtny 



^ public key T: TLmp&tamp 





i 
* 










* 


|i 
i 




^ T : 


1 

1 

■ 


■ 



m& Bob's fce^, T 



.2 



private Jtty 



r — 

FifiU re 15. ] Certification authority^) 



DiTTGCtC5f>- 




o 

C A : Ccrtrhca'inri authority 
Bob 



Bob's 
puhlic key 



O 
O 



Applying 



CA'i pri vale Jccy 



i * 




Trusted 

center 



■ 

DiiLribirtin^ 
30 public 



CHAPTER 15 




¥ MANAGEMENT 



X.509 ^ 

Although (he use of a CA has solved the problem of public-key fraud, it has created a 
side-effect, Ea* certificate may have a different format. If Alice wants to use a pro- 
pram to automMigrflly download different certificates and digests belonging lo different 
peopic, the prOfMi may not be able to do this. Ore certificate may have the public key 
in one format andS^ther in a different format. The public key may be on the first line 
in one certificate, airf>n foe third line in another. Anything that needs to be used uni- 
versally must have a. ij^Kjprsal format. 

To remove this side aff**. the fTU has designed X.509, a recommendation that has 
been accepted by the InteW with some changes. X.509 is a way to describe the certif- 
tcate in a structured way. H*Sesf well-known protocol called ASN.l (Abstract Syntax 
Notation 1) that defines field^familiar to C programmers. 

Certificate 

f C\ 

Figure 1117 shows the format of Y ossificate. 

■ — t>' 



Fi gure 15.17 X.509 certificate format ^\ 



■a 

O 



IVIUVht 



Serial iiumho.r 



Sisuer name 



Validi ty period 



Subject mum 



public key 



IxKUft Caique icieneificr 



Subject liinjmie idetitEfj 



SipJUtUre 



Hash 




^nature 
aJgnri ttim 



Signed 



Signed with CA, r $ 
priva^ key 



Hash aj^aritfm] ID 4- Cipher ID 



(J 

A certificate has the following fields: Q 

□ Version number. This field defines the version of X.509 of the certifi^, The ver- 
sion number started at 0; the current version (third version) is 2. 

Serial number. This field defines a number assigned to each certificate. The value 
is unique for each certificate issuer. 

Signature algorithm ID. This field identifies the algorithm used to sign Hit certif- 
icate. Any parameter that is needed for the signature is also defined in this field. 
Issuer name. This field identifies the certification authority that issued the certifi- 
cate. The name is normally a hierarchy of strings that define* a country a state 
organization, department, and so on. 



U 



U 



□ 



SECTION 15 .4 PUBLIC-KEY DISTRIBUTION 457 



□ Validity Period, This fie id defines the earliest time (not before) and the latest time 
(not after) the certificate is valid, 

jSuhjecl name This field defines the entity to which the public key belongs. It is 
l1$0 a hierarchy of strings, Part of the field defines what is called the common 
\me t which is ihc actual name of the beholder of the key. 

□ Sitfajet:! public key. This field defines dte owner's public key, the heart of the cer- 
tifttttHi-Thf! field also defines the corresponding public-key algorithm (RSA, for 
ex amok) and its parameters. 

□ Issuer jjsi que identifier. This optional held allows two issuers to have the same 
issuer ri.^Kf value, if the issuer unique identifiers art: different. 

□ Subject tfcfumie identifier. This optional field allows two different subjects to have 
iJie same smj&ct field value, if the subject unique identifiers are different. 

□ Extensions. "Xjjfe optional field allows issuers to add more private information tu 
the certificate. ^ 

P Signature- This^ieTd is made of three sections. The first section contain;; all 
other fields in the ee^ifteate. The second section contains the digest pf the first 
section encrypted Wiethe CA's public key. The thir4 section contain* the algo- 
rithm identifier used KM^eate the second section. 

Certificate Renewal 

Each certificate has a period of validity. If there is no problem with Che certificate* die 
CA issues a new certificate befbrS(3)t old one expires. The process is tike the renewal 
of credit cards by a credit card coH^priny; the credit card holder normally receives a 
renewed credit card before the one ex^fr^s. 

Certificate Revocation 

In some cases a certificate must be revoked n its expiration. Here are some examples: 

a. The user's (subject's) private key (comswWing to die public key listed in die cer- 
tificate) might have been comprised. w 

b. The CA is no longer willing to certify the i^er. For example, the user's certificate 
relates to an organization that she no longer werks lor. 

c. The CA K s private key, whieh can verify certificE^ek may have been compromised. 
In this ease, the CA needs to revoke all unexpired ^tificalcs. 

The revocation is done by periodically issuing a cetraQeate revocation list (CKL). 
The list contains all revoked certificates that arc not exffcred on the date the QRL is 
issued. When a user wants to use a certificate, she First needs to - check the directory of 
the corresponding CA for the last certificate revocation list Figure 15. IS shows the cer- 
tificate revocation list. 

A certificate revocation list has the following fields: 

□ Signature algorithm ID- This field is die sasnu as the one in the certificate. 

□ Issuer name. This field is the same as the one in the certificate. 

i 

□ This update date* This field defines when the list is released. 

□ Nest update date, This field defines the next date when the new list will be released. 



f AFTER 15 




NAGEMEMT 

4* 



Figure IS. IS • Certificate rwocati&n. format 





Signature ilgnrtffirt id 



Issuer TiBmc 



Ttus update dale 



KiiTt u^xfoce date ^ ^ 



.^'.v'L^ed certificate 



* * 1 






■ V 1 

tJ . ! .... 


Revoked 


Lccrtifi 


rait ' : 



Stature 



algorithm 



Signed w[{h CA\ 
pr tvjjle key 



H^^fgurithm ED ■+ Cipher ID + Parameter 



Revoked certificate. This is a repeate^t of all unexpired certificates that have 
been revoked. Each List contains two s£c£qns: user certificate serial number ajjd 
revocation date, \ 

□ Signature* This Held is the same as the or^u the certificate list, 
Delta Revocation 

To make revocation more efficient, die delta certifii^tk^pcaticm list (delta CRL) has 
been introduced, A delta CRL is created and posted Q the directory if there are 
changes alter % update date and next update date. For^jbple, if CRLs arc issued 
every month, but there are revocations in between, the CA can^eate a delta CRL when 
there is a change during the munch. However, a delta CRL cpflfyns only die changes 
made after the last CRL, 

Public-Key Infrastructures (FKI) 

• 

Public- Key Infrastructure (FKI) is a model for tread ng, distributin£>nd revoking 
certificates based on die X.509. The internet Engineering I :^ Force (se^rtppendk B) 
has created the Pubii e-Key I n I'rastniclure X.509 (PKIX)- ~U 

Duties 

Several duties have been defined for a PKL The most important ones are shown in 
Figure- 15.19. 

□ Certificates' issuing, renewal, sad re vacation. These are duties defined in the 
X.509. Because die PKIX is based on X50; it needs to handle aU diaries related to 
certificates, 

□ Keys* storage and update* A PKT should be a storage place for private keys of 
rbose member* that need to hold dieir private keys somewhere safe. In addition, a 
PKI is responsible for updating these keys on members ' demands. 



SECTION ISA FUBUC-KEY DISTRIBUTION m 



b\ Hiire Some duties of a PKI 



x 



Certificated issuing! 
renewal, ^thI TCvocitinn 



.Keys' storage 

and update 



Providing ifcTVLCfcS 
to alfcer prrrtocots 



Providing 

access CDiHroL 



to other protocols. As we see will in the next few chapters, 
Some Internet security* protocols, such as IPSec and TLS, are relying on the ser- 
1 vices by a PKI. 




LJ ProvidiflE access control, A PKI can provide different levels of access to the infor- 
mation stored in its datam^. For example, an organization PKI may provide access 
to the whnle daLaba^e forlhe Lop management, hut limited access for employees. 

Trust Model 

It is not possible to have just one G^Ci^s:uinjj all certificates for a] I users in the world. 
There should be many CAs, cadi reSpop^ibJc for creating, storing, issuing, and revok- 
ing a limited number of certificates. jfliejnist model defines rules that specify how a 
user can verify a cerdflcaLe received frokiA CA. 

Hierarchical Model In this model, thth^uLa tree-type structure with a root C A- The 
root CA has a self-signed, setf-issued cenjfLcBrte\ it needs to be trusted by other CAs and 
users for die system to work. Figure 15/20 3msk a trust model of this kind with tiuee 
hierarchical levels, The number of levels can be r©£ than three in a real situation. 

: <5 

Figure 15.20 t*KI hierarchical model # 





CAt 


1 








i 






S3 


"IS 











CA? 



L 



1 



^1 fltt 



i7- 



X — ^ Y 




r, «H .° WS tHc CA ([hc rO£>0 h3! s ^ [led certifies for C A 1 . CA2, and 
CA3; CA] has fcgned certificates forUserl, User2, and User3; and so on. PKI uses the 
following notatiott^ican the certificate issued by authority X for entity Y. 

Example 15,3 

y>' 

Solution x 

Used sends a chain of certificates, CA*&A I » and CAl«Usci3». io User] 
a. Used vacates CA«CAI» iiEiiijsW^blit; key of CA. 
h User 1 extracts ihe public key of CA 1 ffcrn CA«C A ] ». 
v.. User] validates CAl<<U&er £>> using [public k*y of CA 1 . 
(J . User ! cxiizm the public key of User 3 fiuafft A I«Us C r3». 

Example 154 

Some W«b browsers, tfjtf, as Netscape a „ d i„ ienic[ incIu(Je a K[ of Mr[lftcate , f 

ndependent roots w^ou, a single. high-level, m^miiy to certify each root. One can find ihe 

rf>se^ 

Mcsli Model The hierarchical model may work for an oQ^iion or a small com- 
m unity. A larger coinmuniiy may need several hierwcnk^tniclun* connected 
together, One method Js to use a mesh model to connect thUWs together In this 
model, each root is connected lo every other root, as shown in figgfe 15 21 

Figure 15.ZI shows that the mesh structure connects only rootffogether ; each root 
has 4$ own fnerarehtcal structure, shown hy a triangle. The certifies between the 
roots arc cross ce mbytes; each root certifies ail other root* whichlleans there are N 
I A - I) certificates. Tn Figure 15.21, there are 4 nodes, so we need 4 >' 1^ 12 cerhfi 
catcs. Note that each double- arrow line represents two certificates, O 

Example 15,5 Q\ 

Alice is under the anrhority Root 1 ; Bob is ^ the authority Root4. Show how Mee 2 obtain 
rJob s vanned pubhc key 

Snhj [iuii 

J*™! a ^ ^ficates from Koo(4 to Bob, Alice looks at ihe directory of Rootl to fad 
Rout 1 «Rontl>> and Rootle Root4» certificates, U Slng ,he process SS i*W 

Web of Trust This model is used in Pretty Good Privacy, a security service for elec- 
tronic mail discussed in Chapter 16. 



Tw*4 m*. (usmg pull-down .nertu). T*e user met, can Chs^any of this root and i the 



SECnON l5.5 RECOMMENDED READING 461 



Figure 15.21 Mesh niodel 




ave ' jigoed a certificate few e^rti uLhcr. 



'j6 



15.5 RECOMMENDE^EADING 

The following books and websites give m(ffo details about subjects .discussed in 
chapter. The items enclosed in brackets refer^o ihc reference list at the end ol 
book, u > 

Books ^ 

For further discission of symmetric-key and asymmeific-kcy management, see [StiM} 
[KPS02], [StaOfi], fRhe03J. and [PHS03], Q 

a 

WebSites vp 

The foUawifig wcbsiEes give more irifonnjlKm about topics discussed in this chapter. 



Ihis 
the 



en. wikipeiJi su ^^la/bafi^HfiUnL-iri 
* wwifltf .o^rfc/rf g2G3 1 .tit 



■ 



I 



term f^M^amEba 



15,6 KEY*T^RMS AND CONCEPTS 

authentication server^) public-key certificate 

bucket brigade attack (>) puhlic-key infrastructure (?KJ) 

certification authority {CA^ session key 

DiffioHeHman protocol (^) t station-to-station protocol 

Kfirberos (^) ticket 

key-d bribed un center (KDC) ticket-granting server (TGS) 

man^n-i^e-middle attack \^ trust model 

Needham-Sehroeder protocol X.5Q9 

Otway-Rees protocol 



15.7 SUMMARY C\ 

□ Symmetric-key cryptography needs a sha^ft^crct key between two parties. If N 
people need to communicate with each QtitejmN - l}/2 keys art needed. The 
number of keys is not the only problem; the ^(ytfbuiion of keys i£ another. 

□ A practical solution is the use of a trusted third pawy P raftered to as a key-^iistribution 
center (KDC). A K.DC can create a session (lem^jo^ary) key between Alice and 
Bob using their keys with the center The keys of Ali^and Bob are used to authen- 
ticate Alice and Hob to the center. ^ q 

□ Several different approaches have been proposed to cre^tR the session key using 
ideas discussed in Chapter 14 for entity authentic atbnV^wja of the most elegant 
ones are Needham-Schroeder protocol, which is a foun^tkn for many other 
protocols., and Otway-Rees Protocol X^O 

J Kerberos is both an authentication protocol and a KDC. SeverajQbtems, including 
Windows 2000, use Kerberos. lliree servers are involved in the K^eros protocol: 
an authentication server (AS), a ticket -granting server (TGS) r anjf a real (data) 
server, 

□ Alice and Bob can create a session key between themselves without ® 
This method i>i'. session-key creation is referred to as. the symmetric-key 
We discussed two methods: Drffie-Hellmau and sfation-to-station The 
ceptiblc to the man-ui-uie-iiiiddle attack; tlie second Is not. 

U Public keys, Uke secret keys, need to be distributed to be useful. Certificate 
authorities (CAs) provide certificates as proof of the ownership of public keys. 
X.5Q9 is a recommendation that defines the structure of certificates issued 
by CAs, 

□ Public Key Infrastructure (PKT) is a model for creating, distributing, and revoking 
certificates, based on the X.509. The Internet Engineering Ta&k Force has created 
the Public Key Infrastructure (PKIX). The duties of a PKI include certifi- 
cate issuing, private key storage, services to other protocols, and access contrpL 




- 



* SECTION 15,8 PRACTICE SET 4*3 

A PKI also defines trust models, the relationship between certificate authorities. 
• The three trust rnodeJs mentioned in this chapter are hierarchical, mesh, and web 
of trust. 

^ 

15.8 (PRACTICE SET 

Review Qv^tions 

1. List the dus^ of a KDC. 

2. Define a scsftfoj* key and show how a KDC can create a session key between Alice 
and Bob. ^\ 

3. Define Kerberos arKJ name its servers. Eric My explain the duties of cadi scrver. 

4. Define the Diffie-rtejhtian protocol and its purpose . 
3, Define the man-in -tfi^ifiiddlc attack. 

6. Define die sterjon-to-statfon protocol and mend on its purpose. 

7. Define ft certification aufha^ty (C A) and its relation to public- key cryptography. 

8. Define the X.5Q9 recommendation and state its purpose, 

9. List the duties of a PKL 

K). Define a mist model and meiitiprffsonie variations of this model discussed in this 
chapter, \^ 

Exercises O 

] ] . ]n Figure 15.4, what happens if the ij^W^for Bob is not encrypted in step 2 with 

K^, but is encrypted instead by K AB in stgp*3? 
12. Why is Lherc a need for four nonces in the rfpc^arn-Schrocder protocol? 

13$. In (he Needham-Schrocder protocol, how is Mjpe- authenticated by the KDC? How 
is Bob authenticated by the KDC? How is the KDC authenticated to Alice? How is 
the KDC authenticated to Bob? How Shi Alice authenticated to Bob? How is Boh 
authenticated to Alice? ^\ 

14, Can you explain why in the Needham-Schroeder prt{tn£o1, Alice is the party that is 
in contact with the KDC S but in the Otway-Rces protosjjkBoh is the party that is in 
contact with the KDC? < 

15. There are four nonces (R A , R B> R |t and Rj) in the Needham-Sehroeder protocol, 
but only three nonces fR A , R^, and R) in the Otway-Rees protocol, Can you 
explain why there is a need for one extra nonce. R 2p in the first protocol? 

I -ft. Why do you think we need only one tirncalamp in Kerberos instead of four nonces 
sis in Needham-Schroeder or three nonces as in Gtway-Rees? 

17. In die Difhe- Hell man protocol, g = 7» p = 23, x = 3. and y = 5. 

a. What i£ the value of the symmetric key? 

b. Wliat is the value of Rj and R 2 f> 



£ ! 5 KEY MAi^RMRNT 



IS. In the Diffic-HeUtnaii protocol, what happens if j and >■ have [he same value, that 
is n Alice and Bob have- accidentally chosen the same number? Are R { and R 2 
same? Do the ses^iWkey* calculated by Alice and Bob have the same- value"? Use 
an exact] uEe 10 prove^tir claims 

19. In a trivial (not secai^bi$(]^Hdlrnan key exchange, p = 53, Find an appropriate 
value for *0 

20. In station-to-statmn proto^show that if the identity of the receiver is removed 
from the signature, [he prq^ol becomes vulnerable la ihe man-in-the-middlc 
attack. v^S 

2 1 . Discuss the to^worthinesis of f^eertiiicatea provided bv browsers 

? ■ 

o 



Network Security 

Part Four«^uses on the subject tliat is the ultimate goal of ihe book: using crypto^ 
phy to creatp^ecure networks. This part assumes that the reader has previous kno* 
edge of the rntejtaet architecture and the TCP/IP Protocol Suite, Appendix C can 
used as a. quicxreuiew in this case. Readers are abo referred to [Foi06] on the ref 
ence list for Turner study. Each chapter in this part is dedicated to the discussion 
security in one qS^k three layers of the TCP/IP Protocol Suite: application lay 
transport iayer^ and^ff&work layer, Chapter 16 discusses security at the applicat 
layer. Chapter 17 disctiflracs security at the transport layer. Chapter IS discusses secui 
at the network layer, ^ 

Chapter 16: Security^tJJie Application Layer: PGP and SMIME 

Chapter 16 discusses two pectoris that provide security for electronic mail (e-ma 
Pretty Good Privacy (PGP) is a prejocol that is, common for personal e-mail cxehaii 
Securc/Mutdpurpose Internet Mterr^tension (SMIME) is a protocol that is conunui 
COiTimerjcial e-niail $y$teins. ^ * 

Chapter 17: Security at the Trsft^ort Layer: SSL arid TSL 

Chapter 17 first shows the need for security services at the transport layer of the Intc 
model. It then shows how security at the transport level can be provided using one of 
two protocols: Secure Sockets Layer (SSL) ansJransport Layer Security (TLS). The ; 
ond protocol is the new version of the first, O 

Chapter JS: Security at tht Nebvork Layer: IPSec 

Chapter 18 is devoted to the only common security protOcoS at die network layer: TP. 
The chapter defines the architecture of IPSec and discusses the applied ion of FPSe 
transport and tunnel modes. The chapter also discusses- oihcr auxiliary protocols, sue 
IKE, that are used by IPSec, defines Internet Key Exchange, and explains how it is i 
by IPSec. 



Secqgity at the Application Layer: 



Objectives \c\ 



PGP%td S/MIME 





□ To define [nisi mechani^ in both PGP and S/MTME 

□ To show the structure of messages exchanged in PGP and S/MIME 
This chapter discusses two pjOocols providing security services for 
e-mails: Pretty Good Privacy (PtiP) and Secure/Multipurpose Internet 
Mail Extension (S/M1ME). UntQsi tan ding each of these protocols 
requires the general understanding ofcifte e-mail system. We first discuss 
the structure of electronic mail. We tt#h show how PGP and S/MIME 
can add security services to this structo10Emphasis is on how PGP and 
S/MIME can exchange cryptographic algorithms, secret keys, and certif- 
icates without establishing a session betwedoAlice and Bob. 



Q- 

16.1 E-MAIL O 




Let us first discuss the electronic mail (e-mail) system in general. 



E-mail Architecture 



Hgiin: 6.1 Cmj-wk Lhc i7i os L ajmnion scetjariu in u tun?- way t-mn;' Assume 
that Alice is working in m organization that runs an e-mail server- every employee 
ik connected to the e-mail server through a LAN. Or alternatively; Alice could 



*TER 16 SECV&WAT THE APPLICATION LAYER: PGP AND S/MIME 



4> 



Figure 16.1 E-r^ail architecture 




U A: [Jset agent 
MTA: Mc^flgc tfiLusfcr agcnS 



LAN or WAN 



\ y/ MAA: Mesiui^e nxxuss agecU 



Hj i 

Bob 





LAN or WAN 



be connected to the e-mail server of an ISP itf^ugh a WAN (telephone line or cable 
line). Bob is also in one of the above two situation^ 

The administrator ui the e-mail server at Alice^itB has created a queuing system 
that sends e-niait to the Internet one by one. The Mrninistrator of the ?-mait server at 
Bob's site has created a mailbox for every user eontiected to the server- trie mailbox 
holdi* the received messages until they are retrieved by^ recipient. 

When AKce needs to send a message to Bob, she InvuWa user a^ent (UA) program 
10 prepare the message. She then uses another program, a meaSVe transfer agent (MTA }, 
to send the message to die mail server at her site. Hote that lhcfe\ is a clientfserver pro- 
gram with the client installed at Alice's computer arid the serverH^ajled at the mail server. 

The message received at the mail server at Alice's site i^Lued with all other 
messages; each goes to its corresponding destination. In Ahce'sldQ, her message goes 
to the mi server at Bob's site. A client/server MTA is responsible En(tfce e-maiE Lmnsfer 
between the two servers. When the message arrives at Use destinau'or^il servor T it is 
stored in Bob's mailbox, a special file that holds the message until it is retrieved by Bob. 

When Bob needs to retrieve his messages, including the one sent bv Alice, he 
invokes another program, which we call a message access agent (MAA ).TO-MAA is 
also designed as a client/server program with the client installed at Bob's cofaXter and 
the server installed at the mail server, 

There are several important points about the architecture of the e-mail system. 

a. The sending of an e-mail from Alice to Bob is a store-retrieve activity. Alice -can 
send an e-mail today; Bob, being busy, may check his e-mail three days later. Dur- 
ing this time, the e-mail is stored in, Bobs mailbox until it is retrieved" 

b. The main communication between Alice and Bob is through ewo application pro- 
grams: the MTA cHent at Alice's computer and the MAA client at Bob's computer. 

c. The MTA client program is a puxh program; the client pushes the message when 
AKce needs to Send it The MAA client program is a pull program- the client pulls 
the messages when Rob is ready to retrieve his e-mail, 



SECTION 16. i E-MAIL 469 

d Alice stnd Rob canned directly communicate using an MIA client at the sender site 
pand an MTA server at the receiver site. This requires that the MTA server be running 
^ali the time, because Bob does not know when a message will arrive. This is not 
y^actscal, because Bob probably turns off his computer when lie does not need it, 

E-maS^eeurity 

Sending ^e-mail is a one-time activity, The nature «i this activity is different from 
those we vvQvsee in the next two chapters. In iPScc or SSL, we assume that the two 
parties ercattflpkcssion between themselves and exchange data in both directions. Lei 
e-mail, there isajA "session, Alice and Bob cannot create a session. Alice sends a mes- 
sage to Bob" son^time later, Bob reads the message and may or may not send a reply. 
We discuss the seeXiritv of a unidirectional message because what Alice sends to Bob is 
totally independent what Bob sends to Alice. 

Cryptographic Algorith^i* 

IF e-mail is a one- time a^ ily + how can the sender and receiver agree on a crypto- 
graphic algorithm to use fo^^mail security? If there is no session and no handshaking 
to negotiate the algorithms foj^Scryption/deciyption and hashing, how can the receiver 
know which algorithm the senuc-Hps chosen for each purpose? 

One solution is tor the underlying protocol to select one algorithm for each crypto- 
graphic operation and to force AliEe tp> use only those algorithms. This solution is very 
restrictive and limits the capabilities© the two parties. 

A better solution is for the underlying protocol lo define a set of algorithms for 
each operation that the user used in his/S^sy stern. Alice includes the name (or identifi- 
ers) of the algorithms she has used in the i^rnail For example,, Alice can choose triple 
DBS for encryptionydecryption and MD54^iiashing. When Alice sends a message to 
Bob. she includes the corresponding identifiers for triple DBS and MD5 in her mes- 
sage. Bob receives the message and extractsXtfi^Ldenliliers first. He then knows which 
aU^riibin to use for decryption and which one [i(?Qiashiiig. 

2 

In e-mail security* the sender flf Hit message needs to include the name or identifier? 

of the algorithms used in the j^e^tage, 

a 



Cryptographic Secrets 

The same problem for the cryptographic algorithms applies lo the cryptographic secrets 
(keys), tf there is no negotiation, how can the two parlies establish secrets between 
themselves". 7 Alice and Bob could nw: jisyTnmcLrie-kcy algorithms for authentication 
and encryption, which do not require the establishment of a symmetric key. However, 
as we have discussed., the use of asymmetric-key algorithms is very inefficient for the 
encryption/decryption of a long message. 

Most e-mail security protocols today require lhat encryptionVdecryptn^i be done 
using a symmetric- key algorithm and a one-time secreL key sent with the message. 
Alice can create a secret key and send it with the message she sends to Bob. To protect 



'AFTER J 6 SE&pY A T THE APPUCATIGN LAYEti: PGP AND S/MlAfE 

the secret keffrom interception by Eve, the secret key is encrypted with Bob's publh 
key. In other vlbrds., the secret key- itself is encrypted 

\SK 

In ^aii^curitsyrhV^cryptio^ciTpd^ b dnne using a symm ^ K ^ aigurithm. 
hut die secret kex>tW eC ryp< (he message encrypted with the public key of the 

\^ tciver and is seal with the mts^e. 




Certificates Q 
One more issue needs to be copsi 

Lysi 



idered before we discuss any e-mail security protocol 
m particular, it is obvious thaybme public-kcy algorithms must be used for e-mail 
security For example, we need^ encrypt the secret key or sign the message To 
encrypt the secret key, Alice needJfW public key: to verify , signed messag(: , Bob 
heeds Alice s public key. So, for seWjw; a small authenticated and confidential mes- 
sage, two public keys are needed. Hofc can Alice be assured of Bob's public key and 
how can Bob be assured of Alice's piftUffcg? Bach e-mail security pmtoeol has a dif- 
re-rent method of certifying keys, S\ 

% 



1 6.2 PGP 



The fim protocol discussed Ln this chapter is callecfrFtvfty g<hkJ Vn^y (PGP) p^p 
was mvented by Phil Zimmermaun to provide with privacy integrity" and 

authentication. PGP can be used to create a secure 2* message or to fife 
seciimly for future retrieval > q 

Let us first discuss the general idea of PGP, moving from a sftffeSb scenario to a com- 
plex one. We use the term "Daia" to show the message or file prio/$ processing 



Scenarios 



Plaintext 



The simplest scenario is to send the e-maU message ( 0r glore thc fi|e) 
shown m Figan: 16.2. Tliere Is no message integrity or confidentiality in 
Alice, the sender, composes a message and scuds it to Bob, the receiver. ITi' 
stored in Bob's jnailbuK until it is retrieved by hinL 




lainLtxL as 
scenario, 
ssage is 



Alice 

Ml 







Data 







Bob 



r 



SECTION 16.2 PGF 471 

% 

^Message Integrity 

Probably the neat improvement is to let Alice sign the message, Alice creates a digest 
o^fi^message and signs it with her private key. When Bob receives the message* ho 
vcritTjj) the message by using Alices public key. Two keys are. needed for this scenario. 
A]i<Lu<(Tjg)Eds to know her private key; Bob needs to know Alice's public- key, Figure 16.3 
shows Lu at j on r 

ft - 

Figure 163(^/t authenticated message 



Juice's 



A ^ig»allv signed wilh 
™ Alius"* private key 



Alice's 




A 


m 








i 


Pi. 


£fcSl" 



4 

puri3]G Secy 4J 

JB B nh 



Compression r ^ 

A further improvement Is Lo eunup^ss Lhe message arid digest to make the packet mom: 
compact. This improvement has no security benefit, but it eases the traffic. Figure 16,4 
shows the new scenario. >> 

V s 



Figure 16 +4 A compressed message 



private J 



kc-y 



Alice's. 




^ u, r 








1 






Alice 
public kty 



T 



O 

Confidentiality with One-Tune Session Key O . 

As we discussed before, „ confidentiality in an e-mail systt|m can be achieved using 
conventional encryption with a one-time session key. Alice can create a session key p use 
Lhe session key to encrypt the message and the digest and send the key itself witli the 
message However, lo protect the session key, Alice encrypts it with Bob's public key- 
Figure 16.5 shows the situation. 

When Bob receives the packet,, he first decrypts tbe key. usinji bis private key to 
remove the key r He then use* the session key to decrypt lhe rest of the message. Alter 
decompressing the rest of the message, Bob creates a digest of She message and 
cheeks to see if it is equal to the digest sent by Alice, If it is n then the message is 
authentic. 



IPTER 16 SEOJfflY AT THE A fPUCATlOM LA YER: PGP AND SM1ME 



4* 



Figure 16.5 /^confidential menage 

^ 



A G^i liil I y signed with Alice's private key 
vD lincryp[cd wilh Bob's public fo&y 



Alice m jiQO 



Bub's Ali^'s 
pisvate kuy ^ 4 pubs-c !<cy 




CWti ConFertion 



Another service provided by PGP is eodc^Snversion. Most e-mail systems allow the 
message to consist of oflty ASCII character*^ To translate other characters not in the 
ASCII set, PGP uses Radix -64 conversion. £acjta;haracrcr to be sent (after encryption) 
is converted lo Radix-fi4 code, which is diseussedlatcr in ihc chapter. 

CO 



mentation 




PGP allows segmentation of the message after it has Fj^eji converted to Radix- 64 to make 
each transmitted unit the uniform size as allowed by thcv^iT^crlying e-mait protocol. 

Key Rings 

fn all previous scenarios, we assumed that Alice needs to sei^p message only to Bob. 
That is not always the case. Alice may need to send message#>lo many people; she 
needs key rin^s, [n :his case, Alice needs a ring of public keys, mEh a key belonging eo 
i\:rh person v-'iih whom Aiice need? to correspond (send or receive jnfs.^Lj^ ). h addi- 
tion, the PGP designers spceiiied a ring of pri.vateJpub3.ic keys. OncX^eVon is that Alice 
may wish lo change her pair of keys from time to time. Another re^sou is that Alice 
may need to correspond with different groups of people (friends. eolJrE^ucs., and so 
on). Alice may wtsh to use a different key pair for each group, ITierefcaw. each user 
needs to have two sets of rings; a ring of private/public key s. and a ring tif fhmldc keys of 
other people. Figure 16.6 shows a community of four people, eac Si havin^a ring of 
pairs of privute/public keys and, at the same time, a ring of public keys belonging to 
odier people in the Community. 

Alice, for example,, has several pairs of private/public keys belonging to her and 
puh tic keys belonging to other people. Note that everyone can have more than one pub- 
lic key. Two cases Eiiay arise. 

I . Alice needs to send a message to another person in the community. 

a. She uses her private key Co sign the digest. 

b. She uses the receiver's public key to encrypt a newly created session key. 
c r She encrypts the message and signed digest with the session key created. 



SECrfOM 16.2 PGP 473 



Figure Key rings in PGP 

^ — - 

— _ — _ _ ■ h m w m ■" v 

^ I hi Left's ring* 




2, Alice receives a mess-agc ^ftijit another person in the community.. 

a. She uses her private key to^ecrypt the session key. 

k She uses the session key ^decrypt the message and digest, 

c. She uses her public key to Verify the digest. 



PGP Algorithms 

The follow iug algorithm* ate used in PC5^ 

Public-Key Algorithms The public-key kgprji.hm* tiiaL are used far signing the digests 
or encrypting the messages are listed in Tabh 

Table 1 6,1 Public-key &lgarithrf£) 








1 , 


RSA (encryption n^&L^ning'j 


2 


RSA (fur encryption #nly) 




RSA (for signing only}^ ^ 


16 ~ 1 


EIGam&l (encryption onl^J. 


17 




IS 


Reserved for elliptic carve 


19 


Reserved for ECDSA 


20 


BGamfll (for encryption oc signing) 


21 


Reserved for Dime-Hdlnuui 


ioo-no 


Private alj^iritiims 



Symmetric-Key Algorithms The symmetric -key algorithms That are used for con- 
ventional encrypting are shown in Table 16.2. 




A T THE A PPUCATTON LA YER. POP AND SOilME 

^T&hlt 16*2 SVmmetrU -bnt ntanrith™* 









No Encryptiun 




IDEA 




Triple DRS 




CAST- 12?? 








) SAFHR-SKliS 


6 ] 


-™ — — 

s^ie&crved for DES/SK 


7 


Served for AES- 1 28 


3 


Re^cd for AE5-192 1 


9 


KcssrV-d for AES 25 fj 


IOO-110 





Hash Algorithms The hash algorithms that Soused for creating hashes in 
^JtOwn in Table 1f> A C x 







1 




2 


SHA-1 (J 




RIPE-MD/160 


4 


Reserved, for docibk- width 5HA5\ 


5 


MD2 V(J 


£j 


TTGER/192 C) 


7 


Reserved f qr HAVAL ^ 


I0Q-HQ 


Privates algorithms 



o 



Compression Algorithm* The compression algorithms that are used for Suss- 
ing text an; shown in T^blc I ft A. V* 



labk 16,4 Compression metkmis 







0 


Uncompressed 


i 


ZIP 


2 


ZIJP 


KtfMIO 


Pitoec methods. 



SECTION 16.2 PGP 475 

% 

**PGP Certificates 

like other protocols wc have seen so far H uses certificates to authenticate public 
owever, the process is totally different. 




X-Sff^epificates 

Frotocq^ that use X.509 certificates depend on the hierarchical structure of the trust 
There- is (predefined chain of trust from the root to any certificate. Every user fully 
trusts the amenity of the CA at the root level (prerequisite). The root issues ocrdficaEes 
for the CAs ^*"the second level, a second level CA issues a certificate for the third level, 
and so on, Ev^ry^party that needs to be trusted presents a certificate from some CA in 
the tree. Lf Alidsdgcs not trust the certificate issuer for Bob, she can appeal to a higher- 
level authority u^j» the root (which must be trusted Lbr the system lo work), Tn other 
words, there is oneftSkglc path from a fully trusted CA to a certificate. 



In X there Is fljjmg^ P flt ^ f ram ^ e trusted :m i Kuriiy tr* any certificate. 

^ 



POP Certifivates <^> 

La PGP, iherc is no need for anyone in the ring can sign a certificate for anyone 
else in the ring. Bob can sign jrf^rtineate for Ted, John, Anne, and so on. Then- is no 
hierarchy n f trust in PGP; there is no tree. The lack of hierarchical structure may result 
in the fact that Ted may have one ceptfheaic from Bob and another certificate from Liz. 
ii Alice wants to follow the line ofWrtiJicates for Ted, there are two paths; one starts 
from Boh and one starts from Liz. An^^iestirur point is that Alice may fully trust Bob, 
but only partially trust Liz. There can h£i)iuitiple paths in the line of trust from a fully 
or partially trusted authority to a certific^^n PGP, the issuer of a certificate is usually 
called m mlrttducer. 



In PGP P there can be multiple path* Trihi fully or p^plly trusted Authorities to any subject. 



Trusts and Legitimacy • 

The entire operation of PGP is based on introducer [(uk, the certificate trust, and die 
legitimacy of the public keys. Q 

Introducer Trust Levels With the lack of a central au*ft^rity T it is obvious that the 
ring cannot be very large if every user in the PGP ring of users has lo fully trust every- 
one else. (Even in real life we cannot fully trust everyone that wc know.) To solve this 
problem, PGP allows different levels of trust. The uuruber of levels is mostly imple- 
mentation dependent, but for simplicity, let us assign thnx levels of trust to any intro- 
ducer: none, partial, and full The introducer tru st level specifies the trust levels issued 
by the introducer for odier people in the. ring. For example. Alice may fully trust Boh, 
partial tv trust Anne, and not trust Jolin at all. There is no mechanism in PGP to deter- 
mine how to make a decision about the trustworthiness of the introducer; it is up to (he 
user to Tuafce this decision. 



TER 16 SECURfrb/LT THE APPLICATION M YER: PGP AND S/MIME 

\ 

Certificate TrufTLevels When Alice receives a certificate From an introduce," she 
stores the certificate under the name of the subject (certified entity). She assigns a level 
of trust to this c&tiSjW The certificate trust level is normally the same as the intro- 
ducer trust level that i*0ed the certificate. Assume that Alice folly trysts Bob, partially 
trusts Anne and Janerte^a^d has no trust in John. The following scenarios can happen, 
1 . 13 ob issues two certifies, one for Linda (with pubEic key Kl) and one for Lesley 
(with public key K2). v A^ye stores the public key and certificate for Linda under 



Linda's name and assign^ level of trim to this certificate. Alice also stores the 

r feVLcste 1 
trust to this certificate. \} 



certificate and public key terUstcy under Lesley^ name and assigns a full level of 



2. Anne issues a certificate for J&^nYfwith public key K3) r Alice stores this certificate 
and public key under John's narldpbut assigns a partial level for this certificate. 

3. Janette issues two certificates, onc^Jk John (with public key K3) and one Tar Lee 
(with public key K4), Alice stores Jobft certificate under his name- and Lee's certifi- 
cate nuclei- his name, each with a ^rfra^cv&l of trust. Note diat John now has two 
certificates, one from Anne and one from J^etie H each with a^ma/Ievel of trust 

4. John issues a certificate for Liz, Alice carhJipeard or keep this certificate with a sig^ 
n ature tru st of none. O 

O 

Key Legitimacy The purpose of using introdue*r*nd certificate trusts h to deter- 
mine the legitimacy of a public key. Alice needs to khow how legitimate the public keys 
of Bob, John, Liz, Anne, and so on are. PGP defines *a jj&y clear procedure for deter- 
mining key legitimacy. The level of the key legiumacyQ a user is the weighted trust 
levels of that user. Pol- example, suppose we assign the foN^owing weights to certificate 
trust kvels: q 

1 1 A weight of 0 to a iioiitrusted certificate 

2, A weight of 1 (2 to a certificate with partial Ernst ^\ 

3, A weight of ] to a certificate with, full trust 

Then to" fully trust an entity, Alice needs one fully trusted certmea*e\)r two partially 
trusted certificates for that entity. For example Alice can use Jolm Vj^Lic key in the 
previous scenario because both Anne and JauetLe have issued a certificate for John, 
each with a certificate trust level of 1/2. Note that the legitimacy of a public key belong- 
ing Lu an entity does not have anything to do with the trust level of iQi person. 
Although Bob can use John's public key to send a message to him, Alice can® accept 
any certificate issued by John because, for Alice, Jolui has a trust level of none^ 

Starting the Ring 

You might have realized a problem with the above discussion. What if nobody sends 
a certificate for a fully or partially trusted entity? For example, how can the legiti- 
macy of Bob r s public key be determined if no one has sent a certificate for Bob? In 
PGP, the key legitimacy of a trusted or partially trusted entity can be also determined 
by other methods. 

1 . Mice can physically obtain Bob's public key. for example. Alice and Bob can meet 
personally and exchange a public key written on a piece of paper or to a di.sk. 



SECTION 16.2 PGP 



477 



2, If Bob's voice is recognizable to Alice. Alice can call him and obtain his public key 
on the phone. 

better solution proposed by PGP is for Bob to send his public key to Alice by 
e-mail. Both Alice and Bob make a 16-byte MD5 (or 20-byte SHA-i) digest from 
(^e^kcy. The digest is normally displayed is eight groups of 4 digits (or ten groups 
tt!% digits) in hexadecimal and is called a fingerprint. Alice can then cat! Bob 
ajfi^erify the fingerprint, on the phone. If the hey is altered or changed during 
the^&rfnail transmission, the two fingerprints do not match, 7b make it even more 
convWftcjiL, PGP has created a list of words, each representing a 4-digit combina- 
tion. T$fen Alice calls BoK Bob can pronounce the eight words (or ten words) for 
Alice, Tk^Nvuidj are carefully chosen by PGP to avoid those similar in pronuncia- 
tion; for e^fffople, if sword is in the list, ward ih= not, 




In PGP, nomiirs prevents Alice from getting Bob's public key from a CA in a sepa- 
rate proccdure.^je can then insert the public key in the public key ring. 

Key Ring Tables 

Each user, such as Alice, keeps track of two key rings; one private- key ring and one 
public key ring. PGP definfftVsiniclure for each of these key rings in the form of a table. 

Private Key Ring Table 



(re 16.7 shows the format of a private key ring table. 



Figure 16,7 Forpiat of primte ^yly sabi? 




PnvaSc- dug 



ID 


p*=--.,i l ,. 


fen 

' J"? J ■ l ,-'"*I*. r . .'J 


':'«■.■■ — ■"■ ' 


Tiift&iUiiJie- 


■ 

* 

* 


* i 




■m 
■ 
■ 


» * * 



97 

□ User ID. The user ID is usually the e-mail (JJMress of the user. However^ the user 
may designate a unique e-mail address or alias for each key pair. The (able lists [he 
user ID associated with each pair 

Q Key ED. This column uniquely defines a publie\ey. among die user's public keys. 
In PGP, the key ID for each pair is the first (leaAtSsjtofieant) 64 bits of the public 
key, In other words, the key ID is calculated as (4£py mod Z 64 ). The key ID IS 
needed for the operation of PGP because Bob may have several public keys 
belonging to Alice in his public key ring. When he receives a message from Alice, 
Bob must know which key ID to use to verify the message. The key ID t which is 
sent with the message., as we will .sec shortly, enables Bob to u$e a specific public 
key (or Alice from his public ring. You might ask why the entire public key is not 
sent. The answer is that in public-key cryptography, die size of the public key may 
be very long. Sending just S bytes reduces the size of the message, 

□ Public Key, This column just lists the public key belonging Ui a particular private 
key/public key pak 



PTER 1 6 SECU&ftfA T THE A PPUCA HON LA YES; PGP AND S/MIME 

□ EDcrypter^rlvate Key. This column shows the encrypted value of the private 
key in the private key/public key pair. Although Alice is the only person access- 
ing her privnt£)W PGP saves only the encrypted version of the private key. Wc 
will see later ho^lhe private key is encrypted and decrypted. 

□ Timestamp. Thi^Iumn holds the date and time of the key pair creation. It 
helps the user dcej^hen to purge old pairs and when to create new ones. 

Example 16.1 /r\ 

Let u* show a private key riitg W far Ali«, We assume that Alice has only two user IDs 
mice www.com ami dicoWttneingf. We also assume rhal Alice has two set* of private/public 
kays, one for each user ID. Table lo.S^SWs the private fccy ring table for Alice 

<> 

liibic 16.5 Private key ring fahU jbfjframpie J 



Ojter ID 



a] ice (<panet.net 



Key ID 



AB13...45 



FA23„,12 




— f — Tir^^i? 



AiVi.j..^ ...ii" 



FA23 



, . . 1 



2 



3245£?93...23 



". Titrte&twnp 



03] 505-1. 6:23 



□31504-0S-J I 



■ , Jffi ihar although [he vaiues of key ID, pubEic kev%d private key are shown in hexadeci- 
mal, and ddnrnyy-Ume format is used for rjie Si^l^te formal* are only for preset. e;le ion 
and may be different In an actual implementation, • ± 

Public Key Ring Table Figure 16.8 shows (lie format ^public key ring table 

O 

^ 



Fi glire 16.8 Formal of a public toy ring labte 




Pubiir; ring 



User 



ID 




■ 



IniKS 



* 
* 



viruses.) 



■ 
- 




□ User iO # As in [he private key ring table, the user ID is usually the e^m Ji^dress 
of the entity, 

□ Key HL As i* the private key ring table, the key ID is the first (least significant) 
64 bits of the public key. 

□ Public Key. This is the public key of the entity, 

□ Producer Trust, This column defines the producer level of trust. In most imple- 
mentations fc it can only be of one of three values: none, partial, or full. 

□ Certificate^ . This column holds the certificate or certificates signed by other 
entitle* for this entity. A user ID may have mom than one certificate. 



FGF 479 



□ Certificate TVust(s)* This column represents the certificate trust or trusts. If Anne 
sends a certificate for John, PGF searches the row entry for Anne, finds the value of 

\§\ the producer trust for Anne, copies that value, and inserts it in the certificate tmst 
field in the entry for John. 

QrV|£ey Legitimacy. This value is calculated by FGP based on Lhe value of the certifi- 
ed; tmsL and the predefined weight for each certificate trust, 

□ T^c.stamp. This solemn holds the date and time of the column creation, 




A scries of sieps will shcivv a public key ring fable is farmed for Alice, 
3 . Start with(one row, Alice herself, as tfmwn in Table L6.-6. Use N (none), P (partial), and P 
(fail) for tWu^vqls of trust. For simplicity* also assume thai evetyuncs (inclmlijig Alice) has 



Table lft*6 Examp^^ m starting tab& 



User 
ID 



Alice. 



Key 
ID 




AB„. 




* 4 1 ■ 




Prod 
trust 




■ I I I L.IJ 



Note dial, based on this saole^e assume that Alice [m issued a certificate for herself [implic- 
itly). Alice of u^urae iiusbs hkisilf fully, The producer level of trust is aJso/u/i and so i* die key 
JcgjiinuiDy, Although Aljce ncv^r uses this first now, it is needed for the operation nf PGP- 
2. Now Mice adds Bob to the tnble/raice fully inistx Oob^but to obtain his public key, she asks 
Bob to iifrid Lhe public, key h>- e-mail^ wcEl as his fingerprint. Alice then calls Bob to check 
tne fingerprint. Table 16.7 shows tiffs new cvenL 

o 

' JAlble 1 6.7 Example 2, after Hob is ndaelfjQ sfie table 



Use 
ID 


r 


'Key 

in 




i 

Public 






| 


lertific&ii 


! 




.&gii. 


. Timf>- 
stomp 


Alice. 




AO., 




AH 

1 AAr i i i rrrn 


F 










g 

s2 






Boh... 


12.. 




U r - 


F 


r j 




F 


.L.JJ 1 1 . 



Note that die value of the producer trust is full for J3ob because Alice fully trusts Bob. Tltt 
value of [he LxniAcate field Is empty, which shows that-this key has l>eeri received usdireuily, 
and not by a certificate. v. 

3. Muw Alice; adds Ted to the lable. Ted is fully trusteoviiowever, for this particular user, 
Alice does not have toealJ Ted, Instead. Bob. who kno^yAed 1 * public key. sends Alice a 
certificate tli a i includes Ted's public key, as shown m Taolc 16.&. 



Table J 6,8 Example 2 r after Ted is added io ike tabic 



'User i 


tey t 


Public 








Key : 




0 


M 


fey 


trust 


Ccnifictite 


yt£ust 




stamp 


Alice... 


AB... 


An 


1 F 






1 F 


IJ LLIII J 


Bob... 


IV. 


12 


P 










Ted.,, 


, 4&.. 


1 lllkLI 


F 


Bob's | F 


p 





W 1 6 SECURV&A T TW APPLICA TION U YER; PGP AND SMlME 

Note that Ui&fluc of certificate field shows that the certificate was rewived from Bob 
The value of dy certificate tnnt is copied by PGP from Bob's producer mut field The 
wticho ^ kcy i5^T acy ficld is 5116 value of 010 certificate trust multiplied by 1 (the 

4. Now Alice add. An£L die list, Alice partially trusts Anne, but Bob. who is folly trusted 
sends a certificate for A^>Tab!e 16.9 shows the new cvenL 

Ta hie 1 6.9 Example 2, afte r A^-Lf o^ei to ike table 

Public, 




Note tfcni Lhe producer trust value for -Ann* is partk, but the certificate trust and key leriti- 
macyisfuJl, 

5. Now Anne introduce* John, who is. not trusted Qjkike. Table 16.10 shews [he new 
evenr, 



Ibble Ifi. 10 Example 2, after John is added to the table 

■■^eit 




6. 
7. 



O 

Note that PGP has copied ± e value of Anne's proper trust (?) to the certifiCLtnisT 
held for John. The value of the key legitimacy field for John is 1/2 (P) at this ntetoent 
which nutans lhat Alkc must not use John's key until it changes to 1 (F), ' " 

Now Janettc, who is unknown to Alice, sends « certificate for Lee. Alice totally ignores this 
certificate because she docs not know J allelic. 

Now Ted Mn di a certificate for John (John, who i* misled bv Ted, has pr obablv asked 'led to 
scud this certificate). Alice looks « the table and finds John's user ID wiU>*e coffespondiue 
key Id and public key. Alice docs not add another row to the tabic; she just modifies the 
table as shown in Table 1 6. 1 1. 

Pecans* Johu has two certifies in Alice's table and his key legitimacy value n I Alice 
can us* h, s key. Bui John is still untmst worthy. Note [hat Alice can continue to add £ntri B to 
uic table. 



SECTION 16.2 PGP 



481 



Table I ft. II Example Z after one more cerirfizaie received for John 

-■ " 




Trust ModdT^GP 

As ZiumemiaiinJ^ proposal we can create a trust model for any user in a ring with die 
user as the center of^etivity. Such a model can look: like the one shown in Figure 16,9. 
The figure shows U^taisr model for Alice at some moment. The diagram, may change 
with any changes in Cbcmiblic kev ring [able. 

% 

Figure 16.9 Trust rnodel Q 




X has Se£iti£niitc }:\iy 

X introduced by Y 
7 X Introduced by an unknown em.j*y 
Fu]]y trusted ca[iLy 

>» 



Let tis elaborate on die figure. Figure 16.9 shows thai [here are three entities in 
Alice's ring with full trust (Alice herself, Bob, and Ted). The figure also shows, tlirce 
entities with partial trust (Anrte n Mark, and Bruce). There are also six entities, with no 
trust. Nine entities have a legitimate key, Alice can encrypt a message to any one of 
these entities or verify a signature received from one of these entities (Alice's Jtey is 
never used in this model). There are a] so three cn Lilies that do not have any legitimate 
keys with Alice. 



1 6 SECUm^AT THE APPUCA TlQN IA YEHr PGP AND SMME 

\ 

Bob, Anne, ftift Mark have made their keys legitimate by sending their keys by 
e-mail and verify i*g their fingeiprints by phone. Helen, on the other hand, has sent a 
certificate from a CA^fccause she is not trusted by Alice and verification on tbe phone 
i$ not possible. AJthou^Ted is fully trusted, he has given Alice a certificate signed by 
Bob. John has sent Alic^o certificates, one signed by Ted and one by Anne. Kevin 
has sent two certificates to^cc, one signed by Anne and one by Mark." Each of these 
certificates gives Kevin halSCooint of legitimacy; therefore. Kevin's key is legitimate. 
Due has sen! two certificatekV^Alice, one signed by Mark atid the other by Helen. 
Since Mark is half-trusted andOdden not trusted. Due docs not have a legitimate 
key. Jenny has sent four certilieisrfc*, one signed by a half-trusted entity, two by un- 
tmsletf entities, and one by an imW entity. Jenny does not have enough points to 
mate her key legitimate. Luise hasW one certificate signed by an unknown entity. 
Note that Alice may keep Luise 's nameTin the table in case future certificates for Lui.se 
arrive. t\* 

Web of Trust y>* 

PGP can eventually make a web of trust be<wccn a group of people. If each entity 
introduces more entities to odicr entities, the puW^ key ring for each entity gets larger 
and larger and entities in the ring can send securc^ail to each other. 

(3) 

Tic vocation 

It may become necessary for an entity to revoke his ort^r public key from the ring. 
This may happen if the owner of the key feels that the key^ompromised (stolen, for 
esample) or just coo old to be safe. To revoke a key, the owrrer can send a revocation 
certificate signed by herself. The revocation certificate must ^-signed by the old key 
and disseminated to all the people in the ring ihat use that pubS^b 1 . 

Extracting Information from Rings q 

As we have seen, the sender and receiver each have two key rings, one jJrrYate and one 
public. Ivet us see how information needed for sending and receiving a message is 
extmued from dtesc rincs. _ 

o 

Sender Site Q 

Assume that Alice is sending an e-mail to Bob. Alice needs live pieces of intbrrf^on: 
the key ID of die public key she is using, her private key, the session key, Bob's public- 
key ID, and Rob's public key. To obtain these five pieces of information Alice needs to 
feed four pieces of information to PGP: her user ID (For this e-rnail), her passphrase a 
sequence of key strokes with possible pauses and Bob^s user ID.. See Figure 1 6, 10. 

Alice's public-key ID (to be sent with the message) and licr private key (to sign the 
message) are stored in the private key ring table. Alice selects the user ID (her e-mail 
address) that she wants to use as an index, to this riEig. PGP extracts ihe key ID and the 
encrypted private key. PGP use* the predefined decryption algorism and her hashed 
passphrase (as the key) to decrypt this private key. 




SECTION 16,2 PGP 4*1 



4* 



Figure 16.10 Extracting informant. >t: & t sfw sender die 




Aiioe'jj \ Alice's 
key !D u&pc key 

— ^ 



| Bob's 
kty ID public key 



Ahce also needi; a sec net sessign fccy_ The session key in PGP is a random number 
with a size defined in the encr>puonjafoypEion algorithm, PGP uses a random number 
generator to create a random session feey^he seed is a set of arbitrary keystrokes typed 
by Alice on her keyboard, Iiacb keyNstmke is converted to & bits and each pause 
between die keystrokes is converted to 3\Lftits. The combination goes through a conv 
plex random number generator to create reliable random number as the session 

key. Note tbaL the session key in PGP is a o^me random key (see Appendix K) and 
used only once. v^S 

Aiice also needs Bob h s key [D (to be sent wilh>the message) and Bob's public key 
(to encrypt the session key). These two pieces oV-^rmaliors axe extracted from the 
public key ring table using Bob's user ID (his e-mail address). 

Receiver Ske 

At the receiver site, Bob needs three pieces oi infonJt^: Bob's private key (to 
decrypt the session key), the session key (to decrypt the dai^j?, and Alices public key 
(to verify die signature). See Figure 16.1 L 

Bub uses the key ID of his public key sent by Aiice to find his corresponding pri- 
vate key needed to decrypt the session key. This piece of information can he extracted 
from Bob's private key ring table. The private key, however, is encrypted when stored, 
Boh needs to use his pass-phrase and the hash function to decrypt it 

The encrypted session key is sent wirh die message; Bob uses his decrypted private 
Lo decrypt the session key. 
Bob uses Alice's key ID sent with the message to extract Alice's public key, which 
is stored in Bob's public key ring table. 



' <S SECltyXY A T THE APPLICATION U YER: PGP Am S/MIME 

\ 



Pignre 16.11 Extracting information at the receiver site 



>$nv^tc key 



POP 




Severn Alice's 
key public key 

■ j 



■ - ' i JMi . IL 



■1 



f- ■ 



r wJE-'i h 



ft- 



"SB 



TrjiTt-* ► 

' i . V+ v" ■ '\-r i 1 " 'i ' ■■ 



Pilfrtic.kqy ring ! 




key ID 



tifcrypred 
r^Ji key 



PGP Packets 



A message in PGP consists of one or more packers yDupng the evolution of PGP, 
the tarmac and the number cif packet types have changedMike other protocols we b%vt 
seen so far, PGP has a generic header thai, applies to cveryQcket. The generic header 
in di& most recent version, has onEy two fields, as shown in ^jWe ! fi, 12, 

" 



Figure 16.12 Formai of packet header 



O 



Oi Old fnmm 
I: New format 




4- 




64 dlnTertnL packet types 



□ Tag. The recent format For this field defines a tag as an S-bit flag- die first 
bit (most significant) is always 1. The second hit is I if we are using the latest 
version. The remaining m bits can define up to 64 different packet types, as shown 
in Table I6.l2 r 

U Length. The length field defines the length of the entire packet m bytes. The 
of this field is variable; it can be l r 2 n or 5 bytes. The receiver can determine 



PGP 



485 



Table 16.12 Some carfummly used packet type ^ 



x 



Os) a 

-3" 



Packet type 



Session key pitck^t encrypted using a public key 



Signature packet 



Pri vale-key packet 



Ihiblk-kfty packet 



Compressed data packet 



DhIh pMikcl encrypted with a Kttcrcl key 



3* 



Literal d^LH pack^l 



User ID packet 



£tefnof 



-1 ^ 



the number of byte^of the length field by looking at the value of (be byte 
immediately followmedhe tag field, 

a. If the value of the byte>»jfter the tag field is less than 1 92, the length field is 
only one byte. The 1efigiit>f the body (packet minus header) is calculated a_s: 



'o jUv length y forsi byte 

b, tf the value of the byte after # the^ig field is between 192 and 223 (inclusive), 
Lhe length field ts two hyles. The length of Lhc body can be calculated a$: 




■- ■ 





q;byw:+19^ 



c. If die value of the byte after the tag^^dJs between 224 and 254 (inclusive), 
the length field is one byte. This type orlftngth field defines only the length 
of part, of the body (partial body lengtflfjxwie partial body length can be 
calculated as: ^) 





ST* 



Note that the formula means I x 2^ c xhc fso^er is actually the value of Lhc 

five rightmost biu.. Because the field is between 224 inclusive , the value of 

the five rightmost bits is between Q and 30, inclusive. Tul^tS^r words, the partial body 
Jcngd] can be between one (2°) and 1,073,74 1 ,824 (2^/Twhen a packet becomes 
several partial txxiies, the partial body length is applicable. Each partial body length 
defines one part of Lhe length. The last length field cannot be a partial body length 
defines For example, if a packet has four parts, it can have three partial length fields 
rmt! one length field of another type, 

d. If the value of lhc byte after lhc Lag field is 255 n the length field con- 
sists of five bytes* The length ot die body is calculated as: 



'^fT kT, 1,1 * "^tWaf 1 Jiff s ■ 1 It,- r J£-P jif 1 



Body length - .^t-coiicl byte «2A \ third' b^-^^^ >f fouith;b yte:<<: &-i fifth byte 



4* 

VTEK 1 6 SECUqfrY A T THE A PPUCATION LA YER; PGF AMD SMIME 

Literal Data Packet The l i teral data packet is the packet that carries or holds the 
actual data that isJremg transmitted or stored, Tilts packet is the most elsttcnt<jry lype 
of message: that ih^t^nnot carry any other packet. The formal of the packet is shown 
in Figure 16-13. ^ 

— ~ — % . — . . 

Ki «ii re art- 1.1 Literal 



i' . ! t t 




Mode 



Lcn^i of ircxt t]cid 



fifc h - 
keys 



File Tiaerte 



w TpirtcEtarnp 



□ Mode. This one^byte field defines fuw data, ^written to the packet. The value of 
this field can be **b» for binary, "T 1 for text, or anv^riier locally defined value; 

1 J Length of next field. This one-byte field definei^ekngth nf the next field (file 
n:s me field)., \f 

□ File ijame. This variable- length field defines die naQof (he file or message as 
an ASCII string. ^ * 

□ Timestamp. This four-byte held defined the time of cre^i or last modification 
of the message. The value can be 0, which means that <<h^)ser chooses not to 
specify a time. 

□ Literal data- This variable- length field carries the actual darkle or mess; 
in text or binary (depending on the value of the mode field) . 

Compressed Data Packet This packet carries compressed data packetsH^gurc 16.14 
shows the format of a compressed data packet. q 



h ipu re 1 ft. 1 4 Comp-rtsMrf tkitn pqefeff 



or 
packet* 















Compress 


— * 







1 LI 




■-_ 1 ■■ 












•M 




/I . 






Compressed d-.ww 



SF.CTfON 16.2 PGP 



□ CotnpRbssioji method. This one byte field defines the compression method used 
to compress the data (next field). The values defined for diis field so far are ] (ZIP) 

' {ZLTP). Mm* an implementation, can use other cx peri mental compression 
v ^ieEhods, ZIP is discussed in Appendix M, 

□ ^iipressed data. This variable-length field carries the data after compres- 
" pNorc that the data in (his field can be one packet or the concatenation of 

> ^ more packets. The common situation, is a single literal data packet or a 
rifting i on of a signature packet followed by a literal data packet. 

Dula PacfeeVjjicrypted with Secret Key This packet carries data from one packet 
or a com bhiatVpcrf packets that have been encrypted using a conventional symmetric- 
key algorithm. Ntjte that a packet carrying the one-time session key must be sent before 



511 
COJi 



V 



& Encrypted iVSlh^iiirfid session 



or 

packets. 



^4 



1. '. ..-I 

— 




■ v 


: V 


■ 


if 






.:-:v 


.u^_ 


byLt^ 








EciCTyptcd [.lata 



Signature Packet A signature pack^yL we discussed before, protects the integrity 
of the data. Figure 1 6,1.6 shows the fonnnU^f the signature packet. 



A :£t1 Encrypted with Alice's private key 




file* 
or other 
inform^ i ion 







Lin-crypt 



Vbrston 



t^esoirns 



K&yE) 
{B byte*} 



Pubbc-kcy ^IfOfillim 



Haiti alftorithovi 



bK$t rwii) by<cs of 

djg,C5L 



4 

rm 16 sEcufti t£m the ttpummm LA YER. PGP AND smime 

sion.Tbs^one-byle field defines the PGP version thai is being used. 



□ 
□ 

J 



Length. This ^Ijl was origin aJly designed to show She tength of the nest two 
fields, but bccaii^rae size of these fields is now fixed, the value of this held is 5. 
Signature type, Tfu^>piie-byte field defines the purpose of the signature, the docu- 
ment it signs. TaWeT^4J3 si lows .some signature types. 

Table 16.13 Some xixfK^ur^^fu&i 

1$ 



OxOO 



0*01 



0x10 



0x11 



0*12 



Signature of j 



SigrtniuTx; (if 



document (message or fi IcJ . 



Limcnl (message or Jde), 



I Jeneric certificate ot\^er TD and public-key packet. The signer does not 
make any particuJar ass^rjfc in about the own-tr o= r the key. 

Persona!! certificate of a u^tD and puntic-key packet. No verification b> 



done on the owner of the 



Casual certificate of a User ID afld^ublic-key packer. Some casual verification 
dons on the owner of the key 



0x13 



0x30 



Q 
J 



Positive c&rtifiLTir^ of a user ID and puA^c-kcy packet Subsumum] verification 
done. v. 

Certificate revocation signature. This removes an earlier certificate (GrlO 
throueli (kO). • \ 

*6 



J Publi 



Timestamp. This four-byte lie Ed defines the time theygnature was calculated 

Key TD. This eight-byte field defines, the public-key ID ©the signer. It indicates to 
fhe verifier which signer public key should be used to dee^i: the digest 

" ic-fcey algorithm. This one-byte field gives the code fi^Ybe public key a] go 
rithm used to encrypt the digest. The- verifier uses the sarne^frfgorithin to decrypt 
[he digest, 

Q Hash algorithm. This one-byte field gives the code for the basliaWrithm used to 
create the digest. \ 

First two bytes of message digest. These two bytes are used m a Rind of checks 
sum. They ensure that (he receiver is using die right key ID to decrypt©, digest. 

Signal lire. This variable -length field is die signature. It is the en cry rjQb digest 
signed by the sender. 

Session-Key Packet Encrypted with Pub tic Key This packet is used to send the 
session key encrypted with tile receiver public key. The format of the packet is shown in 
Figure 16. 17, 

□ Version. This onc-bytc field defines the !*GP version being used. 

□ Key ID, This eight- byte field define* the public-key ID of the sender. Lt indicates to 
I fie receiver which sender public key should be used to decrypt the session key. 

□ Public-key algorithm. This one-byte field gives the cade for the public-key algo- 
rithm used to encrypt the session key. The receiver uses the same algorithm to 
decrypt the session key, 



j 



Q 



SECTION 16.7 PGP 



[ f \fiur£ 16.17 Sesskm- fay packet 



V^) li <fl) EncTypicd w't\h Bub's public key 

® - 

ictric-kcy 




■ ^ ■■ 







;Kty [□ 

_j t ff t - j v " . ! »- - ■ f^r.'~ jr ^TzJr HtJ T j 




PukEic-key algorithm 


tl" 


Encrypted session fcny 
(vinabLc Length} 



tern, ! 



□ Encrypted sessim This variable-length field is the encrypted vatue of the session key 
created by the sender aud sent to the receiver The encryption is done on the foUowing: 

a. One-octet symrti^npenciyptio^]gori thm 

b. The session key \sK 

c. A two-octet checl^uure^^l to the sum of the preceding session-key octets 

Public-Key Packet This pacta} contains lbc= public key of the sender. The formal of 
the packet h shoviTi in Figure ] 6.1^^ 

Figu re 16. 1 8 Public-key packet 




Key in 

■ — : '±. 



Public -key aJgcmlhm 



C) 



□ Version, This one-by te field defines the PGP version of the PGP being used. 

i J Times tamp. This four-byte field iiefincs the time the key was created, 

J Validity. This two-byte held shows the number of days the key is valid. If the value- 
is 0, it means the key does not expire. 

□ Piibhe-key algorithm. This une-byte Eidd gives the code for the public-key algorithm. 

□ Public key. This variable -length field holds the public key itself. Its contents 
depend on the public-key algorithm used. 



"TCK 16 SECljj&tyA TTHSA PJ'l J CATION LA VSR: PGP AND SOttME 



User ID Pack^Tlus packet identifies a user and can normally associate die user ID 
ID packet Note thi%I ength field of tne general header is only one byte 
Figure 16.19 tito w^k- 



0- • 




til 


.13 


iH 








(Vl 






j ■ " . ■ * ■ 









□ User ID. ITiis variable-length string ^fines the user ID of the sender, it is normally 
the nttme of the user followed hy an^ail address, * 

PGP Messages 

tTTT w P ? ? LS a f Mm ! 3II,atiDn ° f ^ u «4f lto nes,cd E ver though 

W C 7 bma,1 " ns ° f W make a m e% the list is SB 

long. In rh, s section, we give a few examples to shoQOhe idea. 

(incrypied Message • > 

. ^ 



Figure 16.20 Encrypted message 



Sessmra key 

packet 





Enc-rypted £4$spon kty 



packet 




i 1 'iii -. ■* ii 'if 



SECTION 162 FGF 



A Note Lhai the session-key packet is just a single packet. The encry pted dam packet, 
hciwewa', is made a eonipressed packet, The compressed pocket is made of a literal 
•data packet. The last one hoMs the liicral data, 

Signeji Message 

A si message can be the combination of a signature paekeL and a liberal packet, as 
n iflOigure 16,21. 

— 



Figure Ih.lft?) Signctf 



*<5 



- Ti\£,-?. 



tU^t 



LiLenil tlum 




I .i Lend data 



\5 



Certificate Message 

Alihough a certificate can take many fq^sriiL une simple example is ihe combination of a 
user ID packet and a public-key packet a^Tsjiowii in Figtirt 16.22. 'Hie signature is then 
calculated on the concatenation of die key^njl user ID. 

& 



Figure 16.22 Cerlrjkat* mtssQRe 



*6 



u 



Signntuiis paciwi 




5 igimtune calcn I a&ea on 



t -i CD 

























■ 








User 








Public: key 




AFTER it SECfan? A 1 ' TUE APFUCA 7 tQN LA YER: PGP AND S/M1MI-: 



licatiofrjfof PGP 

PGP has been extensively used for personal e-mails. It will prubahly continue to be. 



4 



163 S/MIM^ 

Another security scrvicS^igned for electronic mail is StcurWMultipurpo^ Inter 
net Mail Extension (S/iVNME). The protocol is an enhancement of the Multipurpose 
Internet Mail Extension ^B^ME) protocol. To better understand S/MIME, first we 
briefly describe MIME, Next^-IIME is discussed as the extension to MlMli 

MJME V 

Electronic mail has a simple .struct s simplicity; however, comes with a. price. It 
can si;nd messages only in NVT 7-bit ASCII format, In other wards, it has some limita- 
tions. For example, it can Dot be used 1@ languages that arc not supported by 7-bit 
ASCII character (such as Arabic, Chine^Frencb, German, Hebrew, Japanese, and 
Russian), Also, it cannot lie used to send bin#fV files or video or audio data. 

Multipurpose Internet Mail Extensions ffimfiE) is a supplementary protocol that 
allows non-ASCII data to be sent through e^m&LMlME transforms non-ASCII data ai 
the sender site to NVT ASCII darn and delivers hM> the client MTA to be sent through 
the Internet The message at the receiving side is untosfprmed back to Ehe original data. 

We can think of MIME as. a set of soli ware fu^c^ons that oranslbrm non -ASCII 
data to ASCII data h and vice versa, as shown in Figure ^J>^3, 




MIME defines five headers thai can be added to the original e-mail header section 
to define the transformation parameters: 

1. MIME-Ve 

2. Content -Type 



SECTION 16.3 SAW Mb 493 



3 l Con ten t-Tr ansf er-Encods n ^ 

Contented 
>&S t "■; n : i (.■ n i - Descri pti on 



Rg^ 16,24 shows the MIME headers. We will describe each header in detail. 



Fi gu re NUR 24 MJMfc bender 

— 



Sr." 

— ^ — w' 



\ V w ~ — — — — --■ : ■ — — — — 

MlM&VeustCMi: i.l 
ContanrrJflVriessajnic id 

CojjjcnL-D^^L pHioii: ir jciua) explanation of noatejtiuaJ cpnienti 



li-mail boc.Y 



MIME barters 



MiME^ Version 

This header defines the versiOE^ MTME used. The current version is 1.1. 

Hfltafc- Version: ].L 

X 

Content-Type Q 

This header defines the type- of data use^thc body of Uie message. The content type 
and the content subtype are separated by a^h, Depending on the subtype, the header 
may contain other parameters 

cx 

Conient-TVpt: <typc f £ubty^vpAramet£is> 

M.LME allowK seven different types of data. These are !©sd in Table 16.14 and described 
in more derail below. Q 

□ TeaL The original message is in 7-bit ASCII fbnrfg^d no transformation by 
MIM b is needed, tBfcre are two subtypes currency used, plain and HTML 

□ Multipart, The body contains multiple, independent parte. The multipart 
header needs to del me the boundary between each part. A parameter is used for 
this purpose. The parameter is a string token that comes before each part; it is on 
a separate line by Itself and rs preceded by two hyphens. The body is terminated 
using the boundary token, again preceded by two hyphens, and then terminated witb 
two hyphens. 

hour subtypes are defined for this type: mixe^ parallel digest, and alternative. 
In the mixed subtype, the parts must be presented to the recipient in die exact order 



ER m SECURffyAT THE A PPUCATION lA YER: PGP AND S/MIME 
1 ab le 16,14 /J/2/, ijvpex ami subtypes m MIME 



Type 



an 



Image 



Video 



Audio 



Application 



TfTML 



Mixed 



Parallel 



(S) 



Alternative 



KS-CE22 



Parts are different: versions of the same menage, 
ly is an encapsn laird message. 



Partial 



External-Body 



JPEG 



GEF 



MPEG 



Basic 



PostScript 



Ocsei-tfrcam 



Description 



Unformatted. 



html format. 



liodj contains ordered parts of differen t data types. 



S^mc as above, but no ciner, 



Similar 10 Mixed, but the default is m*5sa£c/RFCfi22. 



v is a fragment of a higher message. 



lEiidgb is 



a reference to another message, 



in, JPEG formaL 



lrrMj:«; r$ format. 



Viji.-.; is 11 



'EC: formal 



Sing3c L:hanncLSffiCO<lLil^^f vaiL:e .11 .$ KH/ 



Adobe Posifr:n. 



^7T 



Genera] binary data (eight-bit bytes.}, 

as in the message. Each part has a different type andj^cte fined a* the boundary, 
The parallel subtype is similar to the mixed subtype, epepi that the order of the 
parts is u 11 important The digest subtype is also similar tchfil mixed subtype except 
that the. default type/subtype is raessage/RFC&22 7 as defil^erbeLow. In the alterna- 
tive subtype, the same message is repeated using diff erent fwrtats. The following 
is an example of a multipart message using a mixed subtype y'Q 



O 



Confent- r Pype: inultipa remised; boundan^ncx 

--sxwe 

Content- Tlype: tejct/piain- 



11 Rrillll IXIIIIJ kLIIilUJ LLI 

■xxxx 



Content- Type: image/gif; 



■XX3CC— 



U 



Message, lu the message type, the" body is itself an entire mail message, a part 
of a mail message, or a pointer to a message. Three subtypes are currently used: 
RFC822, partial, and ertcr/ial-body, 'Hsc subtype RFC S3 2 is used il the body is 
ttgapsuiating another message (including header and Ihe body)- The pa trial subtype 



■ 



lx SECTION 16.3 S/MIME 491 

' lT!'r % ° ri£i ^ lm bMn ^8™"** into different mail ^ 

^as embled at the- destination by MIME. Three paraiM must be added- f d 
Jmber. and the Art*. Tte id itetf^ thc message ancI g J * 

^ments. 1 he number defines Eh, sequence ankr of the figment. The total defines 

txan^ nj it message with three frag in cms- 

,, „ 

The subtype exten^-bo^ndicates that ^ body does no« contain the actual 
message but «s only a refere^ (pointer) to the original message. The parameter* 
ollowmg [he subtype defineVw to access the cri^al 3fe The ft* 



■ ■ j -Hr- rmi i i i.. lin | | 



Cuntent-Typt; message/extcmaJ-hodQ 

site="fhda,«Ju" : V -f\ 
Hcces$-type="np n ; Vj\ 



owing 



-n i i rujja i-i-i r 



^ ™ C ° ngJtia] * a "uwnary image, Qipting that there is no am - 

fffWy, * h.ch uses .mage compression, and Graphics Format (GIF) 

, °- !f e ° ng ' nal ™ ssa B c is a ^varying image (ahimaiionl. The only sub- 
lype l S Movmg Picture Hxperts Group {MPEG). Jf the animated image coiilains 
sounds, It must be sent separately using the audio content type. 

Audio. The original message is sound. The only subtype is basic, which use, g kH ? 
standard audio data. 



□ 



□ 



Application. The ordinal message is a type of da[il ^ prcvioUfiJy de(ineJ 

^ tW ° used ™™ay: AMtfc*! and PostScript Is 

sed when the data are in Adobe PostScript formal. Octet^ream is used wben ,he 
data must be tnterpreted as a sequence of 8- bit bytes (binary file). 



m 1 6 KECURrr&Z 1 HE APPU CATION LA YER : PGP AMD VjM WE 
Cotiieti t- Transfer^ncodmg 

This header defines tfi^^thod used to encode the messages into Os and 1 s tor transport: 

^^^^ * 

The five types of encoding w^Jjods are listed in Table 16.15. 







7biL 


NVT ASCn^araclcrs and short lines. 


8bil 


Non-ASCE cb^cters and siiort lines. 


Binary 


Non-ASCII c^a(iottt^withun]Lmilcd-ieng.tb Laics. 


Radix Ei4 


fi-bit blocks nf datawe encoded into ASCII characters vsin£ 
Radix-64 conversion ^ 


Quoicd-printable 


Non- ASCII characters aQ^ncodcd as an equal sign fol En-wed, by an 
ASCII code. 



□ 7hit This ir 7-bit NVT ASCII encoding. Although no special transform ation is 
needed, the length of die tine shou ld not exceecr! ,000 characters ,■ 

8bi.t This is 8-bit encoding. Non- ASCII charactered^ be sent, bat the length of 
the line still should not exceed 1 ,000 characters, \?tMEjtoc& not do any encoding 
here.- the underlying SMTP protocol must be able to t^rs&fer 8-bit non-ASCII char- 
acters. It js + therefore, no* recommended. Radix- 64 &id@oted-printable types arc 
preferable. 

Q Binary. This is 8-bit encoding, Non-ASCII characters can-jt^sent, and - the length 
of the tine can exceed 1 .000 characters. MIMK does not do ajp^eneoding here- [he 
underlying SMTP protocol must be able to transfer binary datkjitJs, therefore, not 
recommended. Radk-64 and qiioted-printahle types arc preferable^ 

J Radix-64 T ThK is a solution for sending data made of bytes whenHhe highest bit is 
not necessarily zero. Radix- 64 transforms this type of data to printable characters, 
which can then be sent as ASCII characters or any type, of character ^supported 
by the underlying mail transfer nieihanisin. 

Radi^-64 divides the binary data (made of streams of bits) infcfj£4-bit 
hlncks. Each block is then divided Into four sections* each made of 6 efts (see 
Figure 16,25), 

Each 6- bit section is interpreted as one character according to Table li6.16. 

□ Quot^-pnn table- Radix-64 is a redundant encoding scheme: that is r 24 bills 
1 become four characters,, and eventually are sent as 32 bits. We have an overhead of 

25 percent. If the data consist mostly of ASCII characters with a small non-ASCn 
poition, we can use quuted-ptintabk encoding. If a character is ASCII, it is sent as 
is. If a character is not ASCII, it is sent as throe characters. The first character is the 
equal sign (=), The next rwu characters are the hexadecimal representations of thr 
byte. Figure 16-26 shows an example. 



SECTION 16 J SSMIME 497 



^ ip: 



Figure 16^25 Rctdix-(>4 conversion 



x 



Nem-ASCEE 



I1001EW 



fOGGOQOl 



2 



WOUUXJl 



^1 



K ndi :\.-64 



^ ascii 

<5 



noon 


OOEDGC 


ODOUX'J 


1 1 1001 


(51) 


1 m 


C4) 





I 



Oil 11010. 




01000101 


001 10 E 01 



Table 16.16 Radix-b^ncodmg tai?h; 



Figure l<k2G Qtwied-prinwbte 



O 

















Cvde. 




. 






0 


A 


13 






W 




b 


44 




35 


3 ] 


1 


B 


12, 






X 1 


74 




45 


t 


56 


4 




C 


13 


N 




Y 


35 


■ 

J 


40 ■■ 


□ 


37 


5 


3 


D 


14 


O 




Z 


36 


k 


47 


v 


5& 


6 


4 


E 


[5 


P 


f 




37 


1 


4S 


w 


59 


7 : 


5 


F 


16 


Q 


27 ^ 




3S 


m 


49 


•i 






1 6 


G 


17 


R 


2& 




i 39 


IL 


50 


J 


61 


9 


7 


E 


38 


S 


29 




^ 40 


0 


51 




62 




a 


I 


19 


T 


30 






1 p 


52 


0 

1 


63 






J 


20 


1 V 


31 


f 






53 


1 






i 10 


K 


21 


V 


32 


g 




r 

i 


54 


2 







0Q100110 


OK.JQUO0 


iOOUlOl 


0011 LtXH 


V #fK>10H 
^ K 


& 


L 


Nrm-ASCfl 


9 



MUcd ASCII and 
not]-ASC3E data 












00300310 


oiooiuxj 

L 


cannot" 


ooii 


100 J 


01000100 


oomuoi 

9 


010O1O1I 
K 



ASCII lLuj 



Content- Id 

T*is he.de, un]qUj? ] y fhe whole in a mu]tiple raessage 

v-p < ronton i-Id: id^oji nt- i da 
Content-Description ^> 

This header define, whelhtf^ gjggj is ilTia ^ ^ or ^ 

C<m(^I>eKdptioii: description 

S/MIME V\ ^ 

5/M.ME adds some new — — _ . Y7 
these new types include 
defines -'Public Key Cryptography Speciffb^o/ 

Cryptograph ic Message Syntax (CMS) 



S/MIME adds some new content types^^de security services to the MrMt All of 



M Mr *-ntyse TO such as confic^jality or integrity, can i* added to 

" T h ^ defl ™ < ^ coding feme ^ «* contenuvt The 

F SUn , ' 5 r ° f a ' ld different Sypes that are 

messages. For dctai h, the reader k referred to RFC 33oWd 3370. 

Data Content Type This is an arbitrary string. The obj2*W d k callcd 

a,!f tvtf^d CM ^ TK[S ^ pr0vidCS ^ int ^ ^ ^U. It contains 

jiS«»<Mto«, F^, re J 6.27 shows the process of erratinjr an 5& of this type The 
following are the steps in die process: * P e 

1 . For each signer, a message digest is created fro m th e «MtajSL s the ™fic 
hash afgonthm chosen by that signer. Q S * C 

2. Bach message digesi is signed with the private key of the signer O 

1 VaIUCS> aTld ^orithms are then colfcc*d to ere- 

ate tae ngnedDwa object (\ 

KnveJnped-Data Content Type This type is used topside privacy for the i£L Ee 
KWtW any type an d zero or more encrypted keys and certificates, 3 S 

fe A key | created for the symmetric-key algorithms to be used 

3. TT,e content is encrypted using the defined algorithm and created s^^, kev 

4. The encrypted contents, encrypted session keys, algorithm used, and certificates 
arc encoded using Radix-64. cerancatcs 



SECTION 16.3 S/MWE - 



Figure 16.27 Sigttcd'daTa content type. 



2 




K l ^ Signed with private key of signer 1 
-it} Signed wiifi pnvutc key of •a'l^rzz JY 

— ► 




Digital signature 
aSgorislun 



Sign^lurc < 
certificate 



Hash 

t 



Digital signature 
algorithm 



SLgnaLuct + 
eeraficaifi 
algorithm 



"CoiUCJlL-' 

;(a|iy tyj>&> 



s n^icdJJ-alii 



Figure 16,28 Envdnped-lli^i content typp 

R x Encrypced with pultfic fccyC^raipLefii 1 
Rw {Si Encrypted wiih pitbM-c key 

Encrypted wiLh sci-Sion key >A 

Session key created by 
p^udorjcLtkicc'L 
general-or 



Recipient idenuticariari 
Public-key ccrtilicaSe 
Eincrypled session key 




cuvtlopcdDntiL 



■R !6 SECt'tilTZAfTfiE APPLICATION LA YER: PGP AND £W4££ 

Digcsted^atH C&teni Type This type is used to provide integrity for the message 
The result is normally used as the content for the cnveloped-data content type The 
encoded resale is an called di^tedData. Figure 16.29 shows die process ^cre- 
ating an object of this tj*p& 

V 

H^u ix- [fi.29 ,.:.„,. fli r... 

v — — — - — 




Digest +■ 
Hash algoriTlun 



tigesiedDafa 



■ ■ A W&ngt digest is calculated from the content, # 

2. The message digest, The algorithm, and die content ajfc^dcd together to create the 
aigextedDtUQ abject. \^ 

KnerypKd.Data Corneal lypc This type is used to create encrypted vers ,d 

any content type. Although this looks like the cnvelopcd-d*& content type the 
encrypted- data content type h as no recipient. It can be used to s^fte encrypted data 
instead of transmitting it . The process is very simple, the user emplo^W key (normall v 
dnven from the password) and any algorithm to encrypt the content. Wencrypted con- 
tent is stored without including the key or the algorithm. The object dQted is called 
encrypteaData. s\ 

Authenticated-Dat* Content Type This type is used to provide a uthetfti cat ion of 
[tie data, llie object is called auihenticatedData. Figure 16,30 shows the proc^ 
1. Using a pseudorandom generator, a MAC key is generated for each recipieiQ 
1 Hie MAC key is eticiypted with the public key of the recipient. ^ 

3. A MAC is created for the content, 

4. The conlent, MAC, algorithms, and other informations are collected together to 
iorm the authenlicatedData object. 

Key Management 

m key management in S/M1ME is a combination of key management used by X 509 
and PGP. S/MIME uses public-key certificates signed by the certificate authorities 
defined by X,509. However, the user is responsible to maintain the web of frost lo ver- 
ify signatures as defined by PGP. 



^ 

figure 1630 RutheniicGted -data consent type 



SECTION 16 J S/MIME 5« I 



*^y$n Kncjypled wblh public: key of nscLpien* I 
Kfljnft firiLirvptcd wilh public fcey (if rctipsesU jY 




MAC 


■r* 11 1 1 T 


StlgOrilhj]] 




■ 

w 





cipher 



MAC + 

a]gofithni5 + 
session hsv 




0 



'-6 



MAC + 
ccrtil tcjtc + 
al Eorithms ■+ 
^cssiun key 




authcnC Killed ID alii 



o 

tograph k Algorilkmx 

S/M1M2 defines several cryptographic algorit 
1 itttisV means an absolute requirement; the ten 




Table 1 6. L 7 Cryptographic algorithm for SiSMIMb 



as shown in Table 16.17. The icnii 
quid 11 means n^im mend all un. 





Stridor 
must sufrpurt 


Receiver 
must. support 


/^S&itrier 


Recfdver- 
shctsdd support 


Conic n (-encryption 
algorithm 


Tri|jJc 


Triple DES 


*$> 


1. AES 

2, KG2/4Q 


Session- key encryption 
algorithm 


RSA 


RSA 


DiffLe-Hcllmun 


Ditfit:-Heliman 


Hash algori thm 


SHA-1 


IS ; 1 \ ■ 




MD5 


Digest-encryption 
lilgorilhm 




DSS 


RSA 


RSA 


Me^sage-aulhenticatLon 
algorithm 




HMAGttHfa 
SKA 1 







PTLR 16 SEClM^ATTHE APPLICATION LAYER: POP AND 
Exumph 16.3 

The fq] lowing shnMi sample of an tiivefopcUdau in which a *m:.ilJ n,™ is encrypted 
using tj'tpie 

Cftnt*iil.Typc : ap p lk^^n/pkc57-mimci mime- tvpe^BTclitpcd-datsi 
ContenL- 1 Ynnsf cr-ekico^liife : Rad j *-64 

niiiiiD= k< ri-port.txt Tp ; 

Ch32ui67f4htu.il IU2 1 oig7^b(^7hmtikl.^R>o Y8bcfi5TOhIGfH &543mhjkdsaH2^ YjBnmN 
JfbiiiEktjhgfdy hG523K]fe34XiliI^Bs I6sc09jy7fij Hu y LTMDchmtilkjelFdiuy □ 67 SSttmOiti h 
C^^J unl2P24-54Hfflfl7e2Fy W^2M|N^ 1 301 XUil^gftTSEs U yT23 v 

Applications of S/MDWE 

U is predicted ihar S/MJME will bec^SLthc mdusiry choice to provide security for 
commercial e-mail, \ 




16,4 RECOMMENDED REDING 

The follow in S books and websites give more rfetaris about subjects discussed in this 
chapter. Tlie items in brackets refer t« the reference- fist at the end of the test. 

Books 

Electronic mail is discussed in {For06| and [For07].VGP is discussed in [Sta06] r 
[KPS02], and [Rhcffll. S/M1MH is discussed in [Sta06'| ;inQtthcG33 

WebSites 

Th e following websites give more information about topics disi4%)cl in this chapter. 

hLtp://^ [on .phy sics,ubc.ca;^gp-bcgrii . html s\ 
csrc.nkL^v/publi^ 
www, faqs. o jg/rft s/rfc2632 Jilml 



O 



16.5 KEY TERMS 

Cryptographic Message Syntax (CMS) quotcd-printable 

electronic mail (e-mail) Radix-64 encoding 

^ nng Secure/Multipurpose Internet Mail 

message access agent (MA A) Extension (S/MJME) 

message iransfer agent (MTA) user agent (UA) 
Multipurpose internet Mail Extension (MIME) web of trust 
Pretty Good Privacy (PGP) 



X 



SECTION 16.7 EXERCISES 503 




SUMMARY 

\omm there is no session in e-mail communication, the sender of the message; 
wjds lo include the name or identifiers of the algorithms used in the message,. In 
m^l communication, encryption/decryption is done using a symmetric -key algo- 
Vrv 11 the secret key to decry pi the message is encrypted with the -public key of 
- the rQ^iver and is sent wiih the message, 

<J The Bj^^OQsJ discussed in this chapter is called Pretty Good -Privacy (PGP) h 
which wap n vented by Phil Zutimermann to provide e-mail with privacy, integrity, 
and authentication. PGP can be used to create a secur e- mat! message or to store p 
rile securely^* future retrieval,. 

□ In PGP, Aliened* a ring of public keys for each person with whom Alice needs 
_ to correspond, Sne>also urads a. ring of private/public keys belonging to her, 

U In PGP, there is m ne^d for CAs; anyone ijh the ring cm .sign a certificate for any- 
one c tee in the rin^CThpfe is no hierarchy of trust in PGP; there is no tree. There 
can he jtitdciple paihs<fftm fully or part laity trusted authorities to any subject. 

□ The entire operation oS^GP is based on introducer trust, levels of imsl, and die 
legitimacy of the public k<{£s\ PGP makes a web of Lmst between a group of people, 

□ PGP has defined several patf^t types: literal data packer, compressed data packet, 
data packet encrypted witfUecret key, signature packet, session-key packet 
encrypted with public key, pub(ax£ey packet, and user ID packet. 

□ En PGR we can have several tyrieVl}p*iessages; encrypted message, signed message, 
and certificate message. \ 

□ Another security service designcdN^r electronic mail is Secure/Multipurpose 
Internet Mail Extension (S/MIME). "^^Pprotocol is an enhancement of the Multi- 
purpose Internet Mail Intension (MUvJk) protocol, which is a supplementary 
protocol that allows non- ASCII data to b^ei)i through e-mail. S/MIME adds some 
new content types to MIME to provide secui^ services, 

□ 'Cryptographic Message Syntax (CMS) has denned several message types that 

produce new content types to be added to MIME, This chapter mentioned several 
message types t including data content type, si gsf adnata content type, enveloped. 



data content type, digested-data content type, enWypted-data content type, and 
audienticated-data content type. Q 

□ The key management in S/MIME is a combination rff^fcy management used by 
X.509 and PGP. S/M 3 M F, uses public-key certificates signed by the certificate 
authorities. 



16.7 EXERCISES 

Review Questions 

1 . Explain how Bob finds out what cryptographic algorithms Alice has used when he 
receives a PGP message from her. 



*TER 1 6 SECU$m A T THE A FPUCATMN LA YER; PGP AND S/MiME 

2. Explain how Bob finds out what cryptographic algorithms Alice has used when he 
receives an ^A-UMR message; fronra ber, 

3. In PGP, explamltija^ Bob and Alice exchange the secret key for encrypting messages, 

4. In S/MlME, e^ptSjn. how Bob and Alice exchange the secret key for encrypting 
messages. *j*<£ 

5. Compare and contra^Hhe nature of certificates in. PGP and S/MIME. Explain the 
web of trust: made froi^^rtificates in PGP and in S/M1MH. 

6. Name seven types of pac^s used in PGP and explain their purposes. 

7. Name diree types of messa^X in PGP and explain their purposes. 
£. Name all content types dcfiit^by CMS and their purposes. 

9 r Compare and contrast key inan^g)ement in PGP and S/MIME,. 

Exercises 

10. Bob receives a PGP message. How am find out die type of she packet if the tag 
value is ^ \ 

el S 
b.9 

c . 2 S> 

11. In PGP n can aD e-rnail message use lwo different pujriic-kcy algorithms for encryp- 
tion and signing'. 7 How is this defined in a rnessagQfent from Alice to Bob? 

12. Answer the following questions about tag values in>^1P: 

a. Can a packet with a tag value of 1 contain another (jacket? 

b. Can a packet with a Lag value of 6 contain another f^Jjfet"? 

13. What types of a packet should be sent in PGP to provid(j^ifee following security 
services: 

Confidentiality 

b. Message integrity ^ 

c. Authentication 

d. Nonrepudiafion 

e. Combination of a and b 

f. Combination of a and c 

g. Combination of a, b, and c < 

h. Combination of a T b, c n and d. 

14. WhateontenL type in S/MIME provides the following security services: 

a. confidentiality 

b. message integrity 

c. authentication 

d. flonrepudiaEion 

e. ccimhi nation of a and b 



$BCTiON]6.7 EXERCISES 50? 

\ 

^ f. combioation ot a and c 
* p, combination of a, b, and c 

combination of a h b. c, and d. 

15. vMake a table to compare and contrast, the symitietric-key cryptographic algorithms 

$djn PGP and S/MIMR 

16. MlSke a tabic to compare and contrast liie asymmetric-key cryptographic algorithms 
used@5)PGP and &/M1ME. 

17. Make ^^le to compare and contrast the hash algorithms used in PGP and S/MIME, 
IS, Make a t£rj)c to compare- and contrast the digital signature algorithms used in PGP 

and S/M 




19, Encode the ip^&agc is a test" using die following encoding scheme: 
a. Radix-54 
fa Quoted-printa^ 



o 



o 





rity at the Transport Layer: 
SSLQwd TLS 

This chapter has^vcrad objectives: 

□ To discuss the^resd for security services $& the transport layer of the 
internet model >> x 

□ To discuss the geite™ architecture of SSL 

□ To discuss the gener^^chitectLire of TLS 

□ To compare and contrast SSL and TLS 

Transport layer security pro^i^fi end-to-end security services for applica- 
tions that use a reliable trartsp^frlayer protocol such as TCP. The idea is to 
provide security services for transactions on the Internet. For example, 
when a customer shops online, thq^IIowing security services are desired: 

1 . The customer needs to be sur^Jhat the server belongs to the actual 
vendor, not an impostor. Theye^tomer does not want to give an 
imp os lor her credit card number (M&ty authentication). 

2. The customer an.d the vendor need t<fbe sure that the contents of Lhe 
message are not modified during transfEiission (message integrity). 

3. The customer and the vendor need to K^ure that an impostor does 
not intercept sensitive information suc(T)as a credit card number 
(confi dent ial ity ), 

Two protocols are dominant today lor providing security at the transport 
layer: the Secure Sockets Layer (SSL) Protocol and the TYanspuri 
Layer Security (TLS) Protocol, The letter is actually an IETF version 
of the former. We first discuss SSL, then TLS, and then compare and 
contrast the two. Figure 17. t shows the position of SSL and TLS in the 
Internet model . 

507 



\PTER 17 SECUf^ATTHE TRANSPORT LAYER: SSL AND TLS 

4*. 




Figu re 17.] i^foa of ssL Mi in the Internet model 



ApplLcati™ layer 



JKl-iir'J a J.K 



TCP 



JP 



of the goals of these^otocols is to provide server and client 

confidential and data integrity. Application -J ay er 
Uitm/scxver programs, such as H^ertart iVansfet Protocol (HTTP'S 

kTZ 5! S 7 i r CS ° f TCP ^ ei ^r late *eir ^ta in W packets 
t Ihc server and chent m capable of * ng SSL (or TLS) programs then 
Lhe chent can use file URL https://.^ in^ad of ^.7/.. to allow HTTP 
messages to be encapsulated in SSL (or T^) packets. For example credit 
card numbers can be safely transferred via Internet for online shoppers 



71 



^3 



17.1 SSL ARCHITECTURE 

Z\tt^l P ^r^ y *™» T ™°» data generated ft™, 

M Vl*?*™ Ia ^ r - TVprcaU* SSL can n^ive data from an&lication fc^r protocol, 



bnt usually the protocol is HTTP, The data received from the 

(opt^al), signed, and encrypted. The data is then passed toak&ble transport ZZ 
in I yys. in thia chapter, w c discu&s SSLv3, C) 
Services ^\ 

SSL provides several services on data received from the application layer* 
Fragmentation O" 
First, SSL divide* the data into blocks of 2 f 4 bytes or less. 



compression methods 



Compression 

Eaen fragment of data is compressed using one of ihe lossless 
negotiated between the client and server. This service is optional. 

Message Integrity 

To preserve th, i nre fi ru y of data, SSL oses a teyed-hash fusion <o create a MAC 
CV) nfidenfiaUxy 



SECTION I?. I SSL ARCHITECTURE 505 



mn Sayer protocol. 



framing 

• A header h added to the encrypted pay load. The pay toad is then passed to a reliable 

a. 

Kej^Exphange Algorithms 

As we Mil see later, to exchange an authenticated aad confidential message h the client 
and die jQwereach need six cryptographic secrets (four keys and two initialization vec- 
tors), Rov^^er, to create these secrets, one pre -master secret must he established 
between ih&j&p panics. SSL defines sis key-exchange methods to establish this pre* 
master secref^RULL. RSA, anonymous Difhe-Heliman, ephemeral Diffie-llcllnian, 
fixed Dtffie-Hefinmn. and I-ortez^ as shown in Figure 17-2, 

-. 

Figure 17+2 Key-excj&ft ge methods 



Key 

AJELui'JiEELH 





I 



F4icryi?tioji 



HftlFmpi 



Ephemeral 
Diffie- 
li-el I ctuui 



Fixed 
Diffic- 
HcllinLsn 



Porter^ 



RSAOx DSS 



RSAur DfiS 



« 

NULL ^ 

There is .do key exchange in this method. ^Vrc-mastcr secret is established between 

a 



[he chciu and the server. 



Both clienl and server need to know the v^J^e of the pre-master secret. 



In this method, the prornaster secret is a 4 8-byte rando^uiniber created by the client, 



cnerypled with the server's RSA public key, and sent to rt^server. The server needs to 
Hedd its RftA eneryptidn/decryption certiHcate. Figure 17,Jshows the idea. 



Figure 17.3 KSA k*?y tixcfusttge; server public key 




. — ■ 



S LrKivp led ^^Ji server 1 •> public, key 



Server 



TER 17 SKCUtt 




AT THE TRANSPORT LAYER: SSL AND TJ£ 
4*. 



Anonymous Oi0S4ieiiintin 

This is the simple* and most insecure method. The pre-mastcr secret k established 
between the client aWsjsrver using the Difiie-Hellman (DH) protocol, The DiffiV 
Hellman baif-kcys ai^fent in plaintext. It is called anonymous Diffie-Hcllman 
because neither party is ii^n to the other. As we, have discussed, the most serious dis- 
advantage of this method isHte man-in-the-middje attack. Figure 17.4 shows the idea 





■■" '■■■I 



SI 




^ P- 



Frc-tLhiMcr; tf lJ 



Ephemeral Diffte-IIeUman 
To | h wart (he man-in-the-ini 



ddte attack, the ephemeral Difficr-Hellman key exchangfe 



can be nsed. Each party sends a Diffie-Heiimaii key signetN^ iu private key. Th 



it." receiv- 



rng party needs to verify Lhe signature, using the public fcd^f Lhe sender, The public 
keys for verification are exchanged using either RSA or DSQigical signature certifi- 
cates. Figure 17.5 shows the iden. 



Figure 17.5 Ephetneraf Diffie-Hnlimiai key exchange 



CiicnS |-^ 



Si^: Signal wiLh server public fccy 
Si^: Sighed wilh cLiem public kty 



3 




Another solution is the ILxed Diffie-Hellman method. AIJ entities in a group can 
prepare fixed Diffie-Helmian parameters (g and p). Then each entity can create a fixed 
Diffie- tollman half-key For additional security, each indivjduaJ half-key is 
insetted into a certificate verified by a certification authority (CA), In other words, the 



SECJ 'ION $ 7. / SSI, A RCWTECTURE 5 1 1 



^two parties do not directly exchange the half-keys: the CA send* Lbe half-key& in an 
# R5A or special certificate. When the client needs to calculate Lhc pre- in aster, it 
t^sjj its own fixed ha It -key and the server half-key received in a certificate, The server 
dopwic. same, but in the reverse order. Note diat no key- exchange messages are passed 
in tN^jiethod; only certificated arc exchanged. 

Fartezza(^rivcx1 from the TtaliEin word for fortress) is a registered trademark of Ihe LIS. 
National Si^rily Agency (NSA). St is a family of security protocols developed for the 
Defense nepqrApeut. We do riot discuss. Fortezza in this test because of its complexity. 

Encrypt ioii/E^cryptioii Al^ori th rrts 

There are several X^fiiiices for the encryption/decryption alyotitbm. We can divide the 
algorithms into 6 grwjo&as shown in Figure 17.6. AH block protocols use atl 8-byte ini- 
Mali nation vector (tVt^ccpt Ibr Fortezza. which uses a 20-byte IV. 

^1 Z__ 

L'l^urf! 17.6 ?\>H'ryp{ \on/<ffc^\piion fitRortiliMs 

— £ 



Encryption 
Algorithm* 






NULL 



- UCAJtt p- DESJCBfi 

V>^ 3DES_EDE_C! 

O 



The NULL category simply defines the lack of an ^Cry ption/riecry pti on algorithm. 



Stream RC • 

r Pwo KC algorithms are defined in stream mode: Rc£t-\ 
(l2&-bitkey). 



0 (40-bit key) and KC4-12S 

o 



Block RC 



One RC algorithm i$ defined \n block mode: RC2_C:BC_40 (40- bit key). 



DES 

All 
dard 

IDEA 



algorithms are defined in block mode. DES40._CBC uses a 40-bil key. Stan 
k$ is defined as DtiS QK.\ 3DHS MDH CBC nscs a VOS-bit kcv. 



The one 1D£A algorithm defined in block mode is 1DLA_CBC with a 128-bit key. 



\FTER I? SECUlfafArWETRANSPORT LAYER: SSL AND TLS 
Fortezza 

The one Fortezza •Igorilhm defined in block mode is FORTHZZA_CBC with a 96-bit kev 

Hash AlgorithraO 

SSL rises bash algoritli^p rovide message integrity (message authentication). %ax 
hash functions art; deftnclOs shown in Figure 17 7 

<S >- 

Figure 17*7 Hash nlgtmthms^r^ss^ integrity 



Null 




m y partis may decline i* u,e dn zlgoMun^M* case. then, is no hash Unction 
and lite message is not authenticated, Qv 

The two parties may choose MDJ as the hash aJgori!lmi>ffto case, ii 128-key MD5 
hash algorithm is used, Q 

The two parncs may choose SHA as the hash algorithm. In this *fs& a 160-bit SHA-1 
hash algorithm is used. 

Cipher Suite ^ 

J of ke y "Change, lash. m <l encryption algorithms detii^a cipher 

ite for each SSL session. Table 171 shows the suites used in the United We 



SUA* I 



•SU] 



have not included those that are used for export. Note that not all combinati^f key 
exchange, message integrity, and message authentication arc in the lis! V 

Each suite starts with the term "SSL" Mowed by the key exchange algorithm The 
word "Wl nr separate* the key exchange algorithm from fce encryption and hash 
algorithms; For example, 



SSL_DHE_RSA_WrrHLJ>ES^CRC_SHA 



defines DHE.RSA (ephemera J Diffie-Hellman wiLh RSA digital signature) BS the key 
exchange with DES_CBC u the encryption algorithm and SHA as the ha*h afgorithm. 



SECTION 1 7, J SSL ARCHFTEC1VRF 51 3 



4> 

^Tabfe 1 7.1 SSL cipher mite tint 




Ojfks.r Mate 




NULLJWlTHJWLLJflULL. 
SA_WnH_NULLJVlD5 
WnH_NUU,_SHA 

SS [ SlK\^TTH_RC4_12^_SHA 

s ... k m sjdea_c :bc:_sha 

SSL_RSa(^TH._DES„CBC_S3 [A 
SSL_R?A_S^. ;JDES_EDE_CBC_SHA 
S.ST -_DH_an(*r WJJH_ROI_ L 2G_Mt>S 
^L.DH^an^n^Vm [_DB5_CBC_S t S A 
SSL_DH._arion..\i^^DBS_W3^CEC_SllA 

SS L_DHE _RS A _vA&H JPES_EDE^.CBC_SHA 
SSI - jfl HE_DSS_ . WTHj&ES.CaC^S J I A 

SSL_E?SI_RSA_W]TH m itfs jpc_SHA 

SS L_DH_RS A_ W r l"H„3D&fe0E_CT C_$H A 

SSlIdI LDS5_WITH_3DES J0^CBC_SH A 
SSL_FORTEZXA_DMS Wmi^U,_SHA 

SSL FORIT^A DMS^WrTH_R^r.L2E..S]TA 



Key EkXChiittgC 


Hncn.-ptian 




NULL 


NULL 


NULL 


RSA 


NUL.L 1 


MD5 


RSA 


NULL 


SHA-i 


I^S A. 


RC4 


MPS 


RSA 


RC4 


SHA-t 


RSA 


IDEA 


SHA-L 


RSA. 


DES 


SHA-1 


RSA 


3DE5 


SHA-1 


DILniWMI 


RCT4 


MD5 






Si]A-fc 


D[[_.lu10CI 




5HA*l 


DHE.KSA 


DES 


SHA-1 


DHEJViA 


3DES 


SHA-1 


DHE_DSS 


DES 


SHA-1 




^BS 


SHA-1 


D]-E_K5A 


L ?rJS 


0-li,T T 1 


m _USA 


IDES 


SHA-] 




DES 


S1IA-1 




3DF5 


SHA-1 


1 ''orteLza 


NULL 


SliA-l 






SHA-1 






SUA 1 



Note that DM is fixed Diffie-HeUmaiitf^£ is ephemeral Diffic-Hellman, and DH^snon 
is anonymous Diffie-Hellman. 

^, 

Ctirnp r essi on Aigor i thms ^/S 

As we said before, compression if? option a] in^Lv?. No specific compression algo- 
rithm is defined for SSLv'3. Therefore, the defaulL^mpression method is NULL. How- 
ever, a system can use v.- h mover compression algorithm it desires. 

Cryptographic Parameter (feneration Q 

To achieve message integrity and confidentiality, SSL nSjxl* six cryptographic secrets, 
four keys and two I Vs. The client needs one key for message authentication (HMAC), 
one key for encryption, and one IV for block encryption. The server needs the same. 
SSL requires that the keys for one direction be different from those for the other direc- 
tion. I J" Lhere is an attack in one direction, the other direction is not affected. The param^ 
eters are generated using the following procedure: 

l , The client and server exchange two random numbers-; one is created by the client 
and the other by the server. 

Z. The client and server exchange one pie-master secret using one of the key- 
exchange algorithms we discussed previously. 



\PTZR 17 SEcdm^A T THE TKA WPOKT LA YER: SSL A ND TLS 




X A 48-by leister secret is created from the pre-master secret by applying two 
hush funcLkjfts (SHA-I and UD5), as shown En Figure 17 8 

% _ _ 

Figure 1 7.8 CpJrufa M^j/ xmretfrvm pr*-master mm 



"A" 




PM 




CRT 




i — 












1 



"BB" 




PM 






5&] 








] 



5 HA- 1 









PM || 


mm 


m 







pece 




PM 




cr 




Sk 


1 






1 



SHA-1 



] 



^ ^^^r 1 


f 




hash 




„ — i 



J 



SHA-I 



] 



PM | 








i 


^ _j 



J7' 
— £ 



MD5 



■ 




■ 


hash 


i 


i;h-4l 


1 



Master se!C^E 

(41 byres? 



SR: Server Random N*i n i her 
CR: Client Rciiuinrn Number 



4. The master secret is used to create variable-length W material by applying the 
same set of hash functions and prepending with diffipnt constants as shown in 
Figure J 7.9 The module is repeated until key materialVpidcquate size is created. 



Figure 1 7.9 Calcularum of key material from master se^rr.f 







M 






£R 






1 








M 











I 



SHA-1 







PM" . 


1 - . . J I 



I 



I 



PM:-" 




9 


as 


L 





ml 


SR 





■sate 



1 



M L>5 



MD5 





1 


1 hnsli 


1 



Key Materiuf 



M: Master Secret 

SR: Server Random Number 

V.R: Client Random Number 



SECWQN If J SSL A HCWl ECCURE 515 



Note thai the length of the key material block de^nds on the cipher suite selected 
and ihe sb.e nf keys needed for (his suite. 

different keys are extracted froms the key inaterk-l, .'is- shown in Figure 17. 10 

■Q. — — . 

I roaTt\17, 10 Kxttmilitmx ft [ c r vy ? log nip hie sec rats f rum key umiF.rsnl 

-^P: — : 

f^.uUY. Key: AuLhenlicaLion Key 
Kyy linciypdon Key 



Key Material 



ll 






hash 






h 1 


i 

• ir 











I 



i rft 1 


i 













2 



Clicnr \ Server 
AuLh. Kcy\ Auth. Kcj Enc. SCev 



Server 
Knc. Key 



Ciieiir 



Server 



Scions and Connec^tis 

SSL dsffeitsisiciie^ a cornice from a session. Let us elaborate on I hose two terms 
here, A session is an association, between a client and a server. After n session is 
established. Lhe two parties havuf^nunon information such as the session identifier, 
the certificate authenticating eacuTofftieni (if necessary), ihc compression method (if 
needed), the cipher suite, and a master secret that is used Co create keys for message 
authentication encryption. w 

For two entities to exchange data^(jj^ establishment of a session is necessary, but 
not sufficient; they need to create a eonn^lion between themselves. The two entities 
exchange two random numbers and create^4^jig the master secret, the key s and param- 
eters needed for exchanging messages involvum authentication and privacy. 

A session can consist of many connections^^ connection between two parties can 
be terminated and reestablished within the samVst session. When a connection is termi- 
nated, the two parties can. also terminate the sessi#n. but it is not mandatory. A session 
can be suspended and resumed again. ^\ 

To create a new session, the two parlies need to ^(h rough a negotiation process. 
To resume an oid session and create only a new connfefem, the two parties can skip 
part of the negotiation process and go through a shorter wfe. There is no need to create 
a rn aster secret when a session is resumed. 

The separation of a session from a connection prevents the high cost oF creating a 
master secret. By allowing a session to be suspended and resumed^ the process of the 
minster secret cnlc'.il.nion can be eliminated- Figure 17.1 t sbows the idea of a session 
and connections inside that session. 



hi a session, one party has the role of a dienl and the other the rule of a srvtr; 
in :h roEiuL^tioUfc both ^jsrliL^ have equal roles, they are peers. 



4. 

J 7 SECUfilTYjF THE TRANSPORT LA YER: SSL AND 

& __ 

Figure 1 7. 1.1 A atS sion and connections 





C!ii:n1 




Server 



Cnnneclkii i 
start 



Ccjmcctioii 
S!a£c 




Connection 

state 



Slate 



Session State 

A session is defined by a session state, a set ofp^ameters established between the 
-^rver and the client. Table 17.2 shows the list of p^yneters for a session state. 



Rlhle 17,2 Session stale paw truster.*. 



Para^neter 




Su-^shjii 11 > 


A server-chosen Fl-bjt Tiumbw defimi^afwsston. 


PeerCe.rCifkHEe 


A Certificate of type X509.v3. This pans@er may by empty (null). 


Compression Method 


The compression method. ^C^X 


Cipher Suite 


The agreed-upon cipher suite. 


Master Secret 


The 48-bylc secret, V\J 


Is returnable 


A yes-no ilaji that allows new connections in an c4t^s££sion 



Connection Maw 



A connection ib; defined by a connection state, a set of parameter e^ablishecL^tween 
two peers. Table 1 7.3 shows the list of parameters for a connection state. 

SSL uses; two attributes to distinguish cryptographic secrets: write and red^XT'he 
term write specifics the key used tor signing or encrypting outbound messages. The term 
read specifies the key used for verifying or decrypting inbound messages;. Note that the 
write key of the client is [tie s&ne as the read key of the server; the read key of the: client 
ts the same as the write key of the server. 



The client and the server have sis different crypto^raijiiy KLcreij^ three read secret* 

and three write secrets. 
The/vad secrete for the client arc ihv. same as the write secni* for tfti: server and vice versa. 



■SECnON 1 7, 2 FOUR PROTOCOIS 5 ] 7 



Tkble 17+3 Correction stale parameters 



^Server and client random 
vmimbnrs 



I - - I - f — 1 "■> •. . i . 



\Kcript\ot\ • 



A sequence of byte-s chosen by the r^Tver and client for 
each connection. 



.Servi*/ write MAC secret 




The outbound server MAC key for ines&age nttegyity. The 
server uses it to sign; The client uses k no verify. 



ClienNkile MAC secret 

—— 

Server wnUrkCcrcl 

— 



hmialb.atioti v 



SCTfit 



2 



The outbound client MAC key for message integrity. The 
dieait oses it Lo sign; the server uses it to -verify. 



Trie outbound, server encryption key for message integrity. 



The oinboisnd client encryption key for message integrity. 



ThE block ciphers in CBC mcxle use initialisation vector 
(IVs}. One initialization vector is defined fur each cipher 
key during the negotiation, which is used for the first bSock 
exchange. The final cipher text from a block is used ;ls the 
fV for the dent block. 



Sequence numbers 



Each putty has. a sequence number. [Tie sequence number 
starts from 0 aud increments, It must not exceed 2** - 1. 



17.2 FOUR PROTOCOLS 




We have discussed the idea of SSJvwEthout showing how SSL accomplishes its tasks. 
SSL defines four protocols in two i&yQl as shown in Figure 17.12. The Record Protocol 
is the carrier. It carries messages fron^fnise other protocols as well as the daia coming 
from the application layer. Messages fp^ the Record Protocol are payloads to the 
transport lay en normally TCP The HandsbAc Protocol provides security parameters 
for the Record Protocol. It establishes a crpker set and provides keys and security 



Figure 17.12 Four SSL ptBtQcoLs 




Application Layc^^^ 



SSL 



ILiflrj- 










^Alerf 






fYulocri] 




PfOtOCdl 


5 


t : 







i7 SECURS&ATTHE TRANSPORT LA YER: SSL AND TLS 



4* 

parameters. ft a^o authenticates the server to the chent and the client to the server if 
needed. The Ctange^LphciSpec Protocol is used for signalling the readiness of cry pin- 
graphic secrets, Th^lert Protocol is used to report abnormal conditions. We will 
briefly discuss these mitpcols in this section. 

Handshake Protocol^ 

The Handshake Protocol n:^) messages io negotiate the cipher suite, u? authenticate 
Ete server to the client and the^nt to the server if needed, and |p exchange informa- 
tion for building the crypio^ptOc^ecretK. The handshaking is done in four phases, as 
shown in Figure 17J3. \ 



Fi %u re 17. 13 Humlshate Pmwol 



Clicni 




L^trvwaufhfirttit^tipri, and fesy raiAftota 

.. .. \_J l 



Ph*& 111 



,::| S 




Phase TT 





Hlp^Mng t 


h. 




Js base Protocol 













ir ■ ' i • 



Pha.sc J V 



P/ujh /; Establishing Security Capability O 

In Phase I h the client and the server announce flicir security capabilities Ad choose those 
that are convenient for both. In this phase, a session [D estabbshyd and dQ:ipher suite 
is chosen. The parties agree upon a particular compression method. Finally, @s random 
numbers are selected, one by die djent and one by the server, to be used formating a 
master secret as we saw before. Two messages are exchanged in this phase: ClSentHeUo 
and ServerHejlo messages. Figure- 17,14 gives additional details about Phase I. 

QientlleUo The client sends the ClientHeUo message Tl contains the following: 

a. ' The highest SSL version number the client can support. 

b. A 32-byte random number (from the client) thai will be used for master secret 
generation. 

c. A session ID that defines the session. 

d. A cipher suite that defines the list of algorithms that die cJieni can support. 

e. A list of compression methods that the client can support 



SECTION 17-2 FQ UR PROTOCOLS 5 1 9 



Figu re 17. 14 Phtwe I of ihmd'.hoke Protocol 



Client 



X 

X 



Phase I 



vf 




CLLcnlHcllo 



Version 

Clival rantlum number 

Session ID 

Ci pber ite 

Cu itj press ldjh mclhods- 



Version 

Server randajn number 

Sdetlted CLotier set 

Selected coitiprefision mctbswl 



Server Hello The server respoiSKis to the client with a ServerHello message. It con- 
tains the following: 

a. An SSL version number. This number is the lower of two version numbers: thc 
highest supported by the client aWthf highest supported by the server. 

b. A 32-byte random number (fromVhe server) that will be used for master secret 
generation. O 

c. A session ID that defines the session.y^X 

d. The selected cipher set from the c 3 sent 

e. The selected compression method from tfeeC^esit list. 



o 



Afttr Phn^Lt F n tb* client and server know the following 

□ Tlie version of $SL Q 

LI Thr algvritlvns for key exchange, message authentication^ and encrypt wn 

Q The compression meihod v^J^ 

U The two random numbers for key generation 



Phase II: Server Key Exchange and Authentication 

In phase TI, the server authenticates itself if needed. The sender may send its certificate, 
its public key, and may also request certificates fmm the client. At the end* the server 
announces that the serverHello process is dosiL-. l-igure 17.15 gives addiiional details 
about Phase TC. 



mm-i? SECmtjfA T THE ISA NSrORT I A YEK: SSL A ND TI£ 




f Egu re 17. 1 5 Pjjase // f ,f Handshake Protocol 




CertLficn,te 



•y. certified 



Certif]ca(f Request 



Tl — ^ 



— ■ 

Certilu-Atr IF it is required, the server sends \ Certificate message to authenticate 
itself. The message includes a list of certificates bMypa X.509. The certificate is not 
needed if the key-exchange algorithm is anonymous Oiffip-Hellman. 

SerrerKevKxchange After the Certificate messageTtMe server sends a ServerKey- 
Exchange message that includes m contribution to the piaster secret. This message 
is not required if the key-exchange method is RSA or fixed@tTie-Hellman. 

CertMicateRet,ucst The server may require the client tovflhenticate itself. In mis 
case, the server sends a CertificateRequeat message in Phase IlSV asks for certifica- 
tion in Phase UJ from the client. The server cannot request a ccrt#©e from the client if 
it is using anonymous Difne-Hellman. q 

Serve rHelloDone The last message in Phase U is the ServerHell^one message 
which js a signal to the client that Phase 11 is over and rhat the client needs to start 
Phase 111. „ 

O 

a 



After PEi&$e IIj 

Q The ftitver is authentkaitd to the clitwL 

□ The client knows th r pu blie- key of th a server if required. 



Ijst us elaborate on the server authentication and the key exchange in this phase The 
first two messages in this phase are based on the key-exchange method. Figure 17 16 
shows four of six methods we discussed before. We have not included the NULL 
method because there is no exchange. We have not included the Fortciza method 
because we do not discuss it in depth in this book. 



■ 



StCl'ION 1 7 J ffl OR PROTOCOLS 51 1 



Figure 17.16 Four casts in Phase If 




Certificate 



j 



r _ _ 

A ft. RSA 

— S3 



Jo ^crtjficjiie 



■ .'■».• ■ 








1 






■ ■ • . j 



b. Anonymoui DH 





Certificate 



Ni.:- S'." n. vrK cyEJCbaraii 



^ 



d. Fixed DH 



RSA. In this method, the server sends its RSA encry ptioiiAieciy pii on public-key 
certificate iii tin: first messagew^c second message, however, is empty because the 
pre-rnaster secret is.gcncrate<hd^ent by the client in the next phase. Note that 
the public-key certificate authenticates the server to the client. When the server 
receives die pre-master secret, it oQypfc It with its private key. The possession of 
the private key by the server is prosper the server is the entity that it claims to be 
in the public -key certificate sent in thereat message. 

Anonymous DH. In this method, ther^i^rio Certificate message. An anonymous 
entity does not have a certificate. In the ScryerKeyExchange message, the server 
sends the Diffie-Hellinfui parameters and rrVj^ilf-kcy. Note that tlic server is not 
authenticated in this method. x 

Ephemeral DH. ]n this- method, the server sends* either an RSA or a DSS digital 
signature certificate. The private key assoeiatd^TWith the certificate a Slows the 
server to sign a message; die public key allows thc@ipient to verify the signature, 
In the second message, the server sends the Diffta^ftliman parameters and the 
half-key signed by its private key. Other text is also <cru. The server is authenti- 
cated Eo the client in this method, not because it sends die certificate, but because it 
signs the parameters and keys with its private key. The possession of the private 
key is proof that the server is the entity that it claims to be in the certificate. If an 
impostor copies md sends the certificate to the client, pretending that it is the 
server claimed in the certificate, it cannot sign the second megsage because it decs 
not have the private key. 

Fixed DH. in this method, the server sends an RSA. or DSS digital signature certifi- 
cate that includes its registered DH baJr-key, The second message is empty. The 



■ 



,J TERI7 SECUR^t^tTHE 



WANSFORT LAYER: SSL AND 71 J 



certificate i.s^igned by die CA's private key and can be verified by the- client using 
the CA b s public key. In other words, the CA is authenticated to the client and the 
CA claims chatto* h^lf-key belongs to the server. 

Phase III: CUen£ Key B^&tmge tmd Aiilkenttiarfon 

Phase III is designed to atrtljfcnttcate the client. Up to three messages can. be sent from 
the client to the server, as sh^jn in Figure 17.17 

& , 

Figure 1 7. 17 Wiase HI of HteidZfydx Protocol 




Ctrl Lllcate- 



111 




Server 



Chuin of ccrtifk 



Client hiWJc Key 



Cemfi cm Verify 



Certificate To certify itself to the server, the client sends Certificate message. Note 
that the- format is the same as the Certificate ravage sent by^^servcr in Phase II, but 
the contents are different. It includes die chain of certificates th*{tjtertify the client/This 
menage is sent only if the server has requested a certificate it^fjt^e II. If there is a 
request and the client has no certificate to send, it sends an Alert nieseage (part of the 
Alert Protocol to be discussed later) with a warning that there is W^rtificate. The 
server may continue with the session or may decide to abort. \ 

CiicntKey Exchange After sending the Certificate message, the client sends a Client- 
Key Exchange message, which includes its contribution to the pre-masteksecret. The 
contents of this menage are based on the key -exchange algorithm used. If rWrncthcKl 
is RSA n ihe client creates the entire pre-master secret and encrypts it with %>RSA 
public key of the serve l. If the method is anonymous or ephemeral Diffie-rlellman, the 
client sends its Diffie-TIclhian half-key. If the method is Fortem. the client sends die 
Fortezza parameters. The contents of this message are empty if the method is taxed 
Diftie- Hell man, 

Certificate Verify Lf the client has sent a certificate declaring that it owns die public 
key in the certificate, it needs to prove that it knows die corresponding private key. This 
Is needed to thwart an impostor who sends the certificate and claims that it comes from 
the client. The proof of private-key possession is done by creating a message and sign- 
ing it with the private key. The server can verify the message with the public key 



+ H 



SECTION } 7. 2 FOUK PROTOCOLS 523 



already stilt to ensure that the certificate actually belongs to the client. Note thai this is 
possible if the certificate has a signing capability; a pair of keys, public and private, is. 
•^□Ived. The certificate for fixed Diflie-HelSinati cannot be vcriiied tbifc way, 



Phase HI, 

— 1 client k authenticated for the server. 

□ fifths client nnd the server know die pre~master secret. 

ST 



Let us lE^^iborate on the client authentication and the key exchange in this phase. 
The ihrcc meases in this phase are based on the key-exchange method. Figure 17. Iff 
shows four of methods we discussed before. Again, we have not included the 

NULL method D^^l : ortcaameui(Ki 



Figure 1 7. 18 Four cas^ in Piwse III 

— Z c , < 

S 'ij^) ftnerypted wills server's (Jjrtplw; key 
Sij^" StgncJ with cji&ift|i6 public l^B^ 



Ml,. 



CliesitKey Fiichange 




KSA or fWS Certificate 



CiicjltKEyElxchajiRc 





No cemfidsie 



CtienLfttfyJixchaj™ 



h. Anonymous t)H 



Certificate 



f>H. Certificate 



Bj EptwmeraS D1I 



* ^^>ClL-eniJCeyE?fctL^iig-s 

O 



d. Fixed DM. 



U RlSA. 3n this case, there is no Certificate message unless the server has explicitly 
requested one in Phase IJL The OicntKey Exchange method includes the pre- master 
key encrypted with the RSA public key received in Phase II. 

□ Anonymous DH+ In this method, there is no Certificate message. The server does 
not have the right to ask for the certificate (in Phase II ) because both the client and 
the server are anonymous. In the ClientKey Exchange message, the server sends the 
Di I fie- Bellman parameters and its half-key. Note chai the client is not authenticated 
to die server in this method. 



ZR 1 7 SECURni&2 ' WE TRANS PGR T LAYER: SSL AND TLS 

□ Ephemeral H&Mn this method,, the client usually has a certificate. The. server 
needs to send it*RSA or DSS certificate (based on the agreed-upon cipher set). In 
the ClientKeyExe^ge message, the client signs the DH parameters and its half- 
key and sends thensy^e client is authenticated to the server by signing the second 
menage. If the diertMoes net have the certificate, and the server asks for It the 
client sends an Alert mesjitfge to warn the client, If this is acceptable to the server, 
the client sends die DH parameters and key in plain loll Of course-,, the client is tm 
authenticated to the servei^this situation. 

Q Fixed DH, In this method > (?i^ client usually sends a DH certificate in the first 
message, £Jqtc that the secoi*d*JrieKSage is empty in this method. The client is 
authenticated to the server by^epding the DH certificate. 

Phase IV: Finalizing and Finishing 

In Phase IV. the client and server send n?e^ges to change cipher specification and to 
finish the handshaking protocol. Four messages "are exchanged in diis phase, as shown 
in Figure 17.19. \>* 



Figure 17 J 9 Phase: iV of Haiidtiwk* Protucal 



m 



Ph^ctV 



Cftiin^rCiphcrKpcc 



Chlng^ipherSpcc va3u£ 



HnilHJacJ 



MD5 Efash + SHAHaih 



STB 3 










5 


[ftp 


i 



I'misheri 




Server 



o 



Ch m geCifjher Spec The client sends a ChangeCipherSpce message to show*^ it 
has moved all of the cipher suite set and the para meters from the pending state to the 
active state. This message is actually part of the Changed pherSpec Protocol that we 
will discuss tater. 

Finished The next message is also sent by the client. It is a Finished message that 
announces the end of the handshaking protocol by the client. 

ChangeC ipherSpec The server sends a ChangeCipherSpec message to show that it has 
also moved ail of the cipher suite set and parameters from the pending state to the active 
stale. This message is part of the ChangeCipherSpec Protocol, which will be discussed later. 



SECTION 1 7. 2 FQ UR PROTOCOLS 525 



After Phast TV, the client and server arc ready Co eKL-Eiauge i\Ma, 



<$ " " 

TjjAhtid Finally. the sender sends a Finished message to show hand shaking is 
ItJtdly complete!; 

Qitf^eCipherSpcc Protocol 

We havener [hat the negotiation of the cipher suite and Lhc generation of/ cryptographic 
secrets atij&armed ^dually during the Handshake ProtocflL The question now is; When 
can lhc twrt^rtics use these parameter secrets? SSL mandates that the parties cannot 
use these paranfeUrs or secrets until they have sent or received a special trscrsaee, the 
ChangeCiphcr^jite message, which is exchanged during the Handshake protocol and 
defined in the CMq^eCipherSpcc Protocol. The reason is that the issue is not just pend- 
ing or receiving aSflejaage. The sender and the receiver need two states, not one. One 
state, the pending sifcte, keeps track of the parameters and secrets. The other state, the 
active state, holds par^etets and secrets used by the Record Protocol to sigik/ verify or 
encrypt/decrypt messa^L In addition, each state hoJds two sets of values: read 
(inbound) and write (outbound). 

The ChangeeipherSpc^^tocol defines the process of moving values between the 
pending and active states. figures 1 7. 20 shows a hypothetical situatkin T with hypothetical 



f" igune 1.7.20 Mov£mmi: of pgrgnt^^ fmm pending stale to 



Cipher 
MAC 
Cipher key 

IV 



nrffvr shUt* 



Clicm 





i 













o 





R 
























BBSS 



AcLi^c Itrrfing. 





W 


IL 


Ophef 


■ inn 




MAC 


bhb 






Mis 




MACtty 


k,i 




LV 


■■ 










W 


i< 




j. in 


ii Li 


MAC 


btb 


h&h 


Cipher key 


■ ^■ 




MAC kc? 






IV 


a 









Pending 



S?rY&» 



FT 



Pradin^ 




*6 

i O 



CbuuigeCiphcrii pec 



o 



The cLecitlI Finished ususiiigc ^-.^ 
cup l>e ^i^i]L-:J iinct encrypted 
by Lhc client and verified arid 
decrypEcct hy the: server. 



The server Fipisrierj mcssa£& 
tan SFgnccf and encrypted 
by the server juid verified Hurl 
decrypied by Lhc dicnL 











i- 


Cipher 

MAC 
C*i>Hct key 








































MACkry 













^£i|* B PErnHnp 



0 









W 


it 








_ 1 1 1 i V j 


' 1 


































X 









Cipfiii 
M*C 
f-|f*<T key 

M^Ctey 



Hfci-i-.i 





IL 




W 


R 












TiW: 

— ■ ■ 


1 : , 




Si 
















XX,i. 


















f 


X 






.... 



CiH-Er 

Cipher kr- 
M.\C Swf 
IV 



Artier Pending, 



■ 



PTER 1 7 SEClWmi A T THE TTiA NSPORT LA YER; SSL AND TLS 

values to showflTc concept. Only a few parameters are shown. Before the exchange of 
any ChangeCipheVSoec mess ages, only the pending columns have values 

First the dien\%l s a ChangeCipherSpec message. After the clieni sends this 
message, ir moves thorite (outbound) parameters from pending to active, the client 
can now use these parsers , 0 sign OT encrypt outbound mess a pes. After the receiver 
receives this message, it the read (inbound) parameters irom die pending to the 

active si ale . N ow the. serve™ ve rify and decrypt messages. This means that the 
Finished message sent by uJe^lent can be signed and encrypted by the client and veri- 
Med and decrypted by die serw ' 

The server scuds the Changl^pherSpec message after receiving the Fin ish message 
From the chent. After sending this n^ sag e it moves the write (outbound) parameters iron, 
pending to Lie Live. The server can no^se these parameters to sign or encrypt outbound 
messages. Arter the eJ.ent receives (fafcrng* it moves the read (inbound) parameters 
from the penduig to the active state. No^Wdient can verify and decrypt messages 

m course, aft* the exchanged Finished messages, both parties" can communicate 
in both directions using the read/write actiVWameters 

<> 

Alert Protocol s\ 

SSL uses die Alert Protocol tor reporting errors ari$ a bnormal conditions. It has only 
one menage type, the Alert message, that describes^ problem and its level (warm,,, 
or fatal). Table 1 7.4 shows the types of Alert message's ^ncd for SSL 









Value 


Description 


Si? Pi . v mLittg.- -.. 


0 


ClostNaiify 


Sender will not send Hnyrn^ messages. 


30 




An inap|>ropriatc mesMgc r^aived. 


' 20 




An incorrect MAC received, 


30 




UnabEe to dfXJompx^^s appropiWf^ 


40 


HaTidshakeFoiiufv 


Sender unable ro finals [he hajiuW-tke, 


41 


NoCertificate 


Ckcnt has no cemfreare to st?nd. • 


42 


Bud Cert ificcl r# 


Received ccrliScatc corrupted. ^\ ~ 


43 j 


fhisuppurtedCertificate 


lypt of received certificate b net supports 


44 


Certiftc&fe Revoked 


Signer has revoked rhc certificate. V^J) 


45 


Cerrificvte&iifrirzd 


Certificate expired. 


46 | 


Certificate-Unblown 


Cerdftcsic unknown. 


. 47 


filegalParrirngter 


An out-of-rarige or inccmsisteni Held. 

— — 



Record Protocol 

The Record Protocol carries messages from the upper layer (Handshake Protocol 
ChangeCipherSpec Protocol, Alert Protocol, or application layer). The messa-c is W. 
mented and optionally compressed; a MAC is added to the compressed message using 



■ 



SECTION 1 7.2 UR PRO TOCOLS S21 



the negotiated bash algorithm. The- compressed fragment and the MAC am encrypted 

S- jtig the negotiated encryption algorithm. Finally, the SSL header is added to the 
j^pted message, Figure 17.21 shows this; process at the sender. The process at the 
rett&EYCr is reversed. 

^ 

Flgpr^ ^|2l Processing dune hy iltc Record Pm$$t$tl 



Pay1ti)d from upper pmcmal 




i- 


L, 




Li 



Ci^mprcEH ion 



Write 
secret 

0 



HPH: Record. FraiocoL hcaciH 



2fl 



31 





Encryption 



Cipher kccil b [ 





o 



1 





Oomprcsscd fraficaeot 



MAG 



it 



a Process 



-#r- 



b. bn captation 



Note, however, that this process can be done when the cryptographic 
parameters are in the active state. Messages sertl^efore the movement from pending 
to active are neither signed nor encrypted. However, in the next sections, we will sec 
some messages in the Handshake Protocol that usyorne defined hash values for 
message integrity, q 

FraerngTitationfComhimtiiQn <0 

At the sender, a message from the application layer is fragmented into blocks Of 2 
bytes, with the last block possibly less than this w&. At the receiver, the fragments are 
combined together to make a replica of the original message. 



Compression/Decompression 

At the sender, all application layer fragments are compressed by the compression 
method negotiated during the handshaking. The compression method needs to be loss- 
less (the decompressed fragment must be an e*act tepUca of the original fragment). The 
size of the fragment must not exceed 1024 bytes. Some compression methods work 



only on n predefi^d block size and if ttte size of the block is less than this, some pad- 
ding is added. Therefore the size of the compressed fragment may be greater than the 
size of the original fragment. At the recei ver, the compressed fragment is decompressed 
to create 3 replica of WOTiginaL If the size of the decompressed fragment exceeds 2 14 , 
a fatal decompression Xfai message is issued . Note that compression/decompression is 
optional in SSL. 



Sigriing/Vvrifymg 



At die sender, the authenticate 
or SUA- 1 } creates a signature ( 




Figure 1 7.22 Cn ttrulaiian of MA C v^S 

^ 



ethod deJincd during the haotkhake (NULL, MTX^ 
"X as shown in I'-igure 1 7.22. 



Pfld-l: fly[e 0x36 (Of) 1 10 1 10) repeated 48 wms tet^ADS and 40 tirnro for SNA- 1 
Fad.-2: Byte (to 5C (0101 LW) repeated 4E [imes W^pS unci 40 drnes for SHA-1 




Pad- L 



Sequence 
number 



Wgth 



5 



- i r, .j ■ - i ■ 
CoctipnsKeJ rr^raeirt 



CMD^ err SHA-1) 



: 



— : 




'■■ 




Elihi 


l 


I 






t 



'■d 



Wg&iiiled tuLEhalgortthln 
(MDSorSHA-]] 



O 



MAC 



o 



The hash algorithm is applied twice. First, a hash is created from die ^catena- 
tions of the following values: ^ _ 

a r The MAC write secret (authentication key for the outbound message) 




b. Pad- 1 s which is the byte Q*36 repeated 48 times for MD5 and '10 times for SHA-1 

c . The sequence number for rh i s message 

d. The compressed type, which defines the upper-layer protocol that provided the 
compressed fragment 

e. The compressed length , which is the length of the compressed fragment 

f. The compressed Fragment itself 

Second, the final hash (MAC) is created from the concatenation of the following values; 
a, The MAC write secret 



SECTION 1 7. 3 SSL MESSAGE FORMATS S29 

% 

^> b> Pad-2. which is tbfi byte 0x5C repeated 48 limes for M.U5 and 40 tees for SHA-l 
• e r The hash ctt&ted from the first step 

receiver, the verifying is done by calculating a new hash and comparing it it > [he 
reEe^-cd hash. 



er.the compressed fragment and the hash are encrypted using the cipher 
At the receiver, the received message is decrypted rising the cipher re^id 



At the t& 
write sc~ 

secret. For^iek encryption t padding is added to make the size of die encrypts We mes- 
s-age a raultifitetaf the block size. 

After the finery pLKuwhe Record Protocol header is added at the sender. The header is 
removed at the race^+B^efore decryption, 

& 

17.3 SSL MESS^PE FORMATS 

As we have discussed, messes from three protocols and data from the application 
layer are encapsulated in the R^ord Protocol messages, In other words, the Record 
Protocol message encapsulates messages from four different sources at the sender site. 
At the receiver site, the Record ProWol decapsulatcs the messages and delivers them 
to different destinations. The ReconhPragpcol has a general header that is added to each 
message coming from the sources, as\(nown in Figure 17,23. 

o 



Figure 17.23 Record Protocol gmtnil hewie^\ 




o 

The fields in ihis header are listed below. 

Q Protocol. This I -byte field defines the source or destination of the encapsulated 
message, ft is used for multiplexing and demultiplexing, The values arc 20 
(ChangeCipherSpec Protocol), 21 (Alert Protocol), 22 (Handshake Protocol), and 
I'i (dau from the application layer). 

□ Version* This 2-byte field defines the version of the SSL - ; one byte is the major 
version and the qlhfcr is the minor The current version of SSL is 3-0 (major 3 and 
minor 0). 

Length. This 2-byte field defines the size of the message (without the header) 
in bytes. 



TER 1 7 SECmrfgxX T THE TRANSPORT LA YER; SSL AND TLS 

ChangeCiphe^Spec Protocol 

As we said before? the Chan geCiphcrSpec Protocol has one message, the Change - 
CipherSpec iticssa^c.W&^message is onty one byte. encapsulated in the Record Protocol 
message with pratiKol v ™ue 20 s a* shown in Figure 17.24 + 



Figure 17.24 ChangeCipit 



manage 



0 



L6 



• * 11 


I 






sr..'.. -rmm^ 












i 









The one-byte fie Ed in the message 



\F 

is catltcrti^KCS and ijfj value is currently b 



Alert Protocol " ^ 

The Alert Protocol, as we discussed before, has o<fc%t]essage that reports errors in the 
process. Figure E 7.25 shows ths encapsulation of rtfo single message- in the Record 
Protocol wi Lh protocol value 2 1 , 

4 



Figure 17.25 Alcn message 




s ■ 



Lfi 



: 



Level 




The two fields of the Alert message are listed below, • 

□ Level. This one-byte field defines the level of the error. Two levetsQtvc been 
defined so far: warning t md fatal . 

□ Description* The one- byte description defines the type of error. 



Handshake Protocol 

Several messages have been defined for the Handshake Protocol All o! these messages 
have the four-byte generic header shown in Figure 17.26. The figure shows the Record 
Protocol header and the generic header for the Handshake Protocol, Note that the value 
of the protocol field is 22. 

□ l>pe. This one-byte field defines the type of message. So far ten types have been 
defined as listed in Table 17.5. 



SECTION 17.3 SSL MESSAGE FORMATS 531 



l'i £U re 17.26 C^neric header for Hartdthake Pjoloai! 



°4 







■ 


v.. .-.L' 


■* • "- 




'■VI "-13 
:^.kifi 


__ . 




— -r-i ■ 








! ! ! > r 






Type:- 























TabI e 17.5 7V^e ^ of Hawtehakg meMuges 



2n 
5§ 



0 



1 



15 



]6 



20 



hie:] I C iR. L-C 1 1 1 c := I 



ClicntHello 



ScrvcrHdlo 



Ccr£itlcal& 



S^rverKeyH* change 



ScrvcrHeHnEtonc 



Otrtificate Verify 



ieutKtsy'Erahangis 




□ Length (Len)- This three-byte fieifcdfefines the length of the menage (exclud- 
ing the length of the" type and Itog&5fleld). The reader may wonder why we 
need two length fields, one in the genv^pRecord header and one in the generic 
header for the Handshake messages. The0swer is that a Record message may 
carry two Handshake messages at the snmt^nc if there is no need for another 
message in between.. ^ 

HeflvRtqiiest Message 

r Vhc HelloRequest message, which is rarely nsed, is a reCjLt from the server to die eli 
ent to restart a session. This may be needed if the server that something is wrong 
with the session and a fresh session is needed. For example, if the session becomes so 
Song that it threatens die security of the SfcSSitm, the server may send this message. The 
ehent then needs to send a ClientHello menage and negotiate the security parameters. 
Figure 17.27 shows the format of this message. It is four bytes with a type value of 0, 
The message has no body, so the value of the length held is also 0. 

Client Hello Message 

The CticnUHelb message is the first message exchanged during handshaking. Figure IfM 
shows the format of the message, 



PTF.R S? SECUitfl^gAT THE TRANSPORT IJWER: .SSL AND TIJS 



Figure 17-27 HUhRaqaest 



I) 



4- 







21 






■ m 


... Li_Tl£th 


r 4' : 






... Lea; 0 







1 t!_r lj ri: C!iu\;H win 





Client random uuni^ 

$ 




:• ..." ?7 



Scssjnn ID • \ 

Cipher Mistcs N 
(^adahlc number, cr^Tl of 2 hyicsl 



Compression methods 
i v^nabLc number, each of i byte) 



_Q 



The type and length fields arc as discussed previously. The roltow'infSs a brief 
description of the other fields. v. 

□ Version. This 2- byte field shows the version of the SSL used. The verstoiQ^O for 
SSL and 3, 1 for TLfl. Note that the version value, for example. 3.0, is stored^ two 
bytes: 3 In the first byte and 0 in the second. 

□ Client Random Number. This 32-byte field is used by the client to send the client 
random number, winch creates security parameters. 

□ Session til Length. Tins Kbyte field defines the length of the session ID (nest 
field). If Lhcre js no session ID, the value of this (kid is 0. 

J Session [D. The value of this variable- length field is 0 when the client starts a new 
session. The session ID is initiated by the server. However, if a client want* to 
resume a previously stopped session, it can include the previously-defined session 
ID in this field. The protocol defines a maximum of 32 bytes for the session TD. 



SB&ft&N 1 73 SSL MESSAGE fflRMATS 533 



□ Cipher Suite Length, This 2 byte field defines the length of the client-proposed 
cipher suite list (next tield). 

^J&^Cipher Suite LisL '11 lis variable-length fidd gives the Bat of cipher suites thai I he 
^client supports. The field h$is the cipher suites from .the most preferred to the least 
(^efeirecL Each cipher suite is encoded as a two- byte number. 

□ Suppression Method* Length, This 1 -byte field defines the length of clienl- 
pr^^scti compression methods (next field). 

□ Ctin^hcssion Method LisL This variable- length field gives the list of com- 
pressiojtoethnds that the client supports. The field lists the methods from the 
most p*cTerjed to the least preferred. Each method is encoded as a, one- byte 
nuniber. N £c ifar, the only method is the NULL method (no compression), In this 
case, the ^£ibe of the compression method length is 1 and the compression 
method list h&only one element with the value of 0. 

The SefverHello messages the server response to the ClientHello message. The format 
is similar to the ClientHCEL* message, bat with fewer fields. Figure 17.29 shows the for- 
in at o f the mes sage . 

-0 ■ 

Figure 17.29 Server f fella message 



0 



ft 



3 



... Lcn 



iAJ, ^- — 




3i 



vcj£ion 



Server FiiD^J^)iiUTnbcr 



■ - ri ' vr "" ■" ' 



Seeded cEphcr -SU.l[^ 



Session ID 
(variable Length}* 

— a 



The version field is the same. The server random number field defines a value 
selected by the server. The session ID length and the session ID field are the same as 
those in the ClientHello message. However, the session ID is usually blank (and the 
len°th is usually set to U) unless the server is resuming an old session. In other words, if 
the server allows a session to resume, it inserts a value in the session ID fieid to be used 
by the ehent (in the ClientHeUo message) if [he client wishes to reopen an old session. 

The selected cipher suite field defines the single cipher suite selected by the server 
from the list sent by the client. The compression method held defines the method 
selected bv the server from the list sent hy the client. 




? 17 SEC URHingpTHE TRANSPORT I A VEX: SSL ANti TLS 



Certificate MestMggZ^ 

The Certifies messa* am be m by the client qr the server to list the chain of public- 
key certificates. Figure Kft^ shows the format. 

Pigu rc 17*30 Certificate me. 




Leu _., 



(variable J^rjjfr ) 



Ill 



' \ ;lr 



Certifjeme N r^y^ 
(vzuj&bte length) 




The value of the type field is 11 . The, body of die mcs 5 ^ indudes the folk™ 

□ Certificate Chain Length. This three-byte field shows the l@th of the certificate 
cham. HujJ field is redundant because its value is always 3 bsstlhan the value of 
the length iieh1. 

□ Certificate Cliain. This variable-length field lists the chain of^lic^ey certifi- 
cates that tiie client or the server carries. For each certificate, there IrHjLp sub-fields: 
<!. A three- byte length field 

b. The variable- size certificate itself 

ScrrerKeyExt han ge Message (~\ 

The Servei Key Exchange message is sent from the server to the client. Figure 
shows I he general formal. 

Tbe message contains die keys generated by the server. The format of the message is 
dependent on the cipher suite selected in the previous message. The diem thai receive 
the message n^ds to interpret the message according to the previous information. If the 
server has sent a certificate message, then the message also contains a signed parameter. 

Certijicateitvqiiest Message 

1 Tic CeruficateRequesl message is seul from the server to the client. The message asks the 
;hent to authenticate itself to die server using one of the acceptable certificates and one of 
he certificate authorities named in the message. Figure 17.32 shows ihe format 




SECTION 17 J SSL MESSAGE mRMATS 535 




16 



24 



PriitfucoL". 



— 



1 «■."•■ r 



VL. Eat 



.J.. 




!j;n ... 



Key lengths and eScsa&CcilS 



tlatfi if n^cd 



Figure 17-32 C ertific&f^fitft- 



uest message 



L6 



■ P . ' iv — " 7 — Tl " E 



!l 



T 




: _^Ji 




~ ~~ " 



(vari.ih!c^u)ifc«r h GflcJi Qt one byte) 



[ ■ 

It HL r ■ 


m i 


■v _ 1, 




... 










- 






rrTT^ : — 



o 

The value of the type field is 13. 'Hie. body of the r^sagc includes the: following 



U t^ti of Cert Types, This one-byte field shows the lengW of the certificate types 

□ Certificates Types. This variable-length field gives the list of the public-key certtli 
eate types (hat the server accepts. Each type is one byte. 

□ length of CAs. This two-byte field gives the length of the certificate authorities 
(the rest of die packet). 

□ length of CA -x Name* This two-byte- field defines the length of the .*di certificate 
authority name. The value of x can be between 1 to N. 

□ CA x Name. This variable-length field defines the name of the xih certificate 
authority. The value of x can be between I to 



FTEH 1 7 SixCUk^J THE TRANSPORT LA YER: SSL AND TLS 
SenferllclkiDafgjMessaxe 

m SMHdloDonei message i s the last message sent in the second phase of h^dshak- 
*l%ure 1 7.33 SenvrHtUS^tnv message 






... Lei]j 0 



'IJMI ... 



Certificate Verify Message \> » 

TTie Certificate Verify message is the last mess^of Phase IE. l n this message the client 
proves that j t actu ally own S the private fcey xSU, its public** eSSE' t do » 
IJ* chert create* a hash of a ]| handle messa^ifore thL 



0 





ft ' t' 



. Leo .j 



Hash 

{variable length) 



r©— ■ 



O 



o 

on rh, ?^'rl PriV f* m!ataJ * 8 DSS certi ^. *ea the hash is ba^l only 
? ' " "J or|t!lm * e ««B* of the hash * 20 bytes, [f the client pSASK 

" t l S " k SA , C6fl J ,lca,e » [hs[1 tht:re ^ (concatenated), on' S 
U D5 a,d the other based on SHA-1. T* tola] length is 16 ■ + 20 = 36 b*i fW 17 £ 
shows the hash calculation. y E 

ClkntKey Exchange Massage 

Si^g? * *"* If*;? ^ The format of ihc 



SECTION J 7.3 SSL MESSAGE FORMATS 537 



Figu re 1 735 Hash calculation for- Certificate Verify me&xage 



Handshake mca^ii^cfi 










|||| Fad-1 


L 


i 



MLWmSHA-J 




Piid-1 : Bjlii D#3$ (repeated 4ft times for 
MD5 and 40 limes for SKA- 1) 

l'ad-2: Byte fixSC, itfpWtd 4J3 limes foe 
MD5 antf 40 tiures for 5 HA- 1 



Figure 17.36 {j.-^nJ/fcy^r/^^ 




Qcy 





Finish ed Message Q 

The Finished message shows that the akgotiatiori j^vcr. It contains all qf the messages 
exchanged during handshaking, followed by the sender role, ihc master secret and the 
padding. The exact format depends on the type of cipipa: suite used. The general formal 
is shown in Figure 17.37. ^ 

Figure 1737 shows that there is a concatenation wtwo hashes in the message- 
Figure 17.38 shows how each is calculated. 

Note that when the client or server sends the Finished message, it has already sent the 
ChangeCipherSpec message. In other words, the write cryptographic secrets are in the 
active state. The client or Ihe server can treat the Finished message like a data fragment 
coming from the application layer. The Finished message can be authenticated (vising the 
MAC in the cipher suite") ami encrypted (using the cnery ption algorithm in the cipher suite). 



Application Data 

The Record Protocol adds a signature (MAG) at the end of the (possibly corn pressed) 
fragment coming from the application layer and then encrypts the fragment and the 



WFER I? 



? HECUUftyf A T THE j 

% 



TRANSPORT LA YER: SSL AND T7£ 



Figure 17 37 Ffiixhtd message 




in 



:lfeHj[lt .. 



... Lint 36 



r 4_ 




24 
■ 1 " ■■■ 



I 'ypc: ?fi 




Leu .. 



MD5 hash 



SKA- 1 hash 



Vi&ur* 1738 calculation fhr Finished 



a. 



Handshake messages 




_! i 


1 


r 


1 ^ 


MD5 or 


SHA* L 




o 




31 



"8 

4J 




Un>Ep 



mhf: Byre Ost^Ci (raited 43 rimes for 
. Mn? ,H3fid40^i^)fn-rSHA-l) 

Pacf-2r Byte 0t5C n;ptM@4S ttm*s for 
MD.5 and 40 times f^!IA-l 

Sender: 0i434C4E54 furclftnt; 
0x53525ft? for urvdi 



MAC. After adding the general header with protocol value 23, the Record mwsage.is 
transmitter! Note that Lhe general header is not encrypted, Figure 17.39 slfeivs the 
format. 




17.4 TRANSPORT LAYER SECURITY 

The Transport Layer Security (TLS) protocol is the IETF standard version of the SSL 
protocol. The two are very similar, wilh slight differences. Instead of describing TLS in 
hi EL we highlight the difference between TLS and SSL protocols in this section. 



SECTION 1 7. 4 TRANSPORT LA YER SECURITY 539 



Figure 17.39 Record Prfitoco-t ntessage far 'application data 




16 



24 



3i 



i l- : •: :. 23 



'P' JJ . i — * 




__ . . .- 



."2 



Compiled frdgrrtcnE 



4e 



■J 



Version ^ 

The first difference is rtae version number (major and minor). The current version of 
SSL i& 3,0; the current v^atoii of TLS is 1 ,0. In other words, SSLv3,0 is compatible 
with TLSv 1.0. 

<$> 

Cipher Suite • > 

Another minor difference bctwccrr-R>J^ and TLS is the lack of support for the Fortezia 
metiiod. TLS does not jsiiprxjrl FOTttStfza for key exchange or for encryptioii/decryption. 
Table 17,6 show$ the cipher suite list ©TLS {without export entries). 

Generation of Cryptographic 

The generation of cryptographic secrets is mofecorripleK in TLS than in SSL. TLS first 
defines two functions: the data-ex pans son funoyer^and the pseudorandom h action. Let 
us discuss these Lwo functions. 



Daia- Expansion Function 



a 



The data -expansion function uses a predefined Hfs0C (cither MP5 or SH A- 1) tn 
expand a secret into a longer one. This function c^rf£fche considered a multiple^ 
section function, where e-aeh section creates one hash varue. The extended secret is the 
eojieaLenaEmn of \hc h;ish vulims. B?icl ■ season ;,is-:s two HMACs* n secret a)i«:1 :i <ccd 
The data-ex pans ion function is the chaining of as many sections as required. However, 
in make the next section dependent on *hc previousf the second seed is actually the out- 
put of Lhe urst HMAC of the previous section as shown in Figure 17.40, 



Pseudorandom Function (FRF) 

TlS defines a pseudorandom function ij'RF) to he the combination of two data-exnan- 
sion junctions, one using Ml 35 and the other SHA-J. PRF takes three inputs h a secret, £ 



run n sscusa^rrnsTRAHsPOKriAYEii: sshndtls 



suite 



TLS i _NUJ.,L_W[TH..NI 
TLSJtS A_W ITH_mJLi 
TLS_RS A jtf ITTLNULL^gMf 
i n^_RSA_WTTH_RC^ l2tfjJh>5 
TLS _RS A_ Wl TH_RC4_1 28 jffi^ - 

TLS.RS A_ with_3des^hde:_ce^ 

TLS_DH_an[>^ JTFLRC4_ [2BJrflVr 
,TLS. Dl Lfinon_Wrra^DrS„CBC_SIl^S 

TLS_OH.ano(L.wn-H_JDES_EDE CBCTSfcEA 
" f i^DHILRS A_ WITH_DBS_CBC_SHaQ \ 

TLS_3^HE_.R^A_WlTH_3DES_F.DE_CnC $?A 
*i#j9HE_DSa_WTTH_D]3S CBCLSHA y> 

TLS_DKE^D,^S_WITH_3DE5_EDE_CnC ShL^ 
TLS JDH_ft S A. W r fl r . DES_CB C_SHA ^ 
TL^ JDHJS A_ WiiHL3Dfe £>f-_CBC_SH A 
TLS_DH _DSS_ W E" n [_ PES _CRC_ J H A 

TLS_DH_DSS„WITH..JDl^S_EDE_CeC SHA 



Exchange 


■ 

Encryption - 


Hash 


NULL 


NULL 


PWLL 


RSA 


NULL 




f*£A 


NULL 


SHA ] 


RSA 


RC4 




RSA 


RCA 


ST-IA-E 


RSA 


IDEA 


SHA- 1 

U 1 1 ■ 1 L 


ISA 


DES 


SHA-1 


RSA 


3DES 


SHA- J 




RC4 


MD5 


Dl 3_anon 


DES 


SHA- 1 


Di-Lanon 


3DES 


SHA- 1 


DHE_RSA 


DES 


51IA-1 


DHE.RSA 


3DES 


SHA- 1 


DHE_DSS 


DES 


SHA- 1 


DHE_ DSS 


3 DES 


SHA-1 


PHJRSA 


DES 


SHA-I 1 


'tjLLRSA 


3DES 


SHA-1 




DES 


SHA-j 




3 DES 


SHA-I | 



Figure 17,40 Data- expansion function 



5 erect - — 



itmac: 



j 



Hash 








— > 



Ha 


si 






* Hp 

Lr ■ I S 






j 






e _ r 



Hash 



T 



Scc.izt, > | IMAC 



Secret ■ fcj 



I 



Hynh 




i 


lasil 




Hush 


■ - - 






_l 



poinded sJCCrcL 



label, md a seed. The label and seed are concatenated and serve as the seed for each data- 
ixpmSW function. The secret is divided into two halves; each half is used as the secret for 
each data-expansion function. The output of two data-expansion functions is exdusive- 
oned together to create tj le Jinal expanded secret. Note thai because the hashes created from 



■ 



SEC1 /frV 1 7.4 TRA WSPORT LA YER SECURITY 541 



and SHA-I are of different sizes, extra sections of MD5-based functions must be 
^created to make the two outputs the same size. Figure ] 7.41 shows the idea of PRE 



igtifp 17.41 



iJ:ji 1 -ii i H 1 fiA-A; 



PR!-" 



<5s 



i 










MM 




SHA-1 




— .- 






tialf secret 



0 

Pre.-master Secret 

The generation «J" the pre-mastex se^K^inTLS is exactly the same as in SSL, 
Master Secret 

T\J& uses IhcPRF function to create the npstcr secret from the pre-master secret, This 
is. achieved hy using the pre-master seereka?nhe secret, the string "master secret" as the 
label, and concatenation of the client j^doriLiiWber and server random number as the 
seed. Note that the label is actually the ASCII\£tjgfc of the string "master secret". In other 
words, the label defines the output we want to ^n^ate, the master secret. Figure 17-42 
shows the idea. 1 ^ 



Fi gn re 1 7A2 Mxater sec res generation 











■ 


Label 

■ 


r - i 


t 




Fiuicuoft 



CR; CSscth ftanclnm Number 
SR. Scwi-i ftiirrdoEi NuiiibtE 
tianciten n I Inn 



PTEF / 7 SKCUm£A TIME TRANSPORT LAYER: SSL AND TIS 

\ 

Kev Material 

TLS uses [fie PRF j^jytion to cr&atc the key material from the master secret. This lime 
die secret is the mast^p^cret, trie label is the string ,H key expansion", and the seed \$ the 
concatenation of the s&f^^r random number arid the client random number h as; shown in 
Figure 17.43. > 

v 

0- 

f i^u re 17 .43 material geMtoption. 







: 1 'JSiij 








CR 


Seem 


Label 

r i 






r 



PyeudDrantluja E , 'ur.^ ti n n 
{PRF) V 



CK: Cliciit Random Number 
SR: Server RiLntknn Number 
I: Coric^crjation 



Alert Protocol 



TLS supports all of the alerts defined in SSL except ftir^N^ertiftcater TLS also adds 
some new ones to the list. Table 17.7 sho^s the full list ols^erts supported hv TLS 

O 

Table 17.7 Alerts defined for TLS V £X 



Value 
^— 


- - — — _ 

■ ; Description 


■■ ■• ■ • , 


0 


ClvzeNotify. 


Sender will jiol send asiy nfiulpeTncEsages. 


10 


U n £>xp fictg dMes sa g e 


An inappropriate message rcci£^d^ 


20 


B&dMetonlMAC 


An incorrect MAC received. ^ 




Dec ryp I itm Fa He d 


Decrypted message is invalid. * 


22 


RecordQvarjtaw 


Message i& mors than. 2 14 + 204^ * 


30 


Decamp re ^lonFmlure 


-; — t3 

Unable to decompress appropriately. 


40 


Ma rushuki'Fd r: i ere 


Sender unahle to ftnahzjc the handshake. V 


42 


Bad Ce r l (fixate 


Received ccrTificatc corrupted. 


43 


UruiuppartedCertificme 


Type of received certificate \ s not supported. 


44 


CenificateRevaked 


Signer has revoked the certificate. 


45 


Cert ificateExpi red 


C^niF^atc has expired. 


46 


L V r tificate Unknown 


Certificate unknown, 


47 


Illegal Parameter 


A field out of range or in-consisicni with others. 


48 


UnknownCA 


CA could not be identified. 



SECTION 1 7. 4 TRANSPORT LA YfiR SECURITY 543 



Ta bk 17.7 A term defmtri for 1 jLV {continued) 



Description 



Meaning 



AccessDenicd 



No desire to continue with negotiation. 



DecodfErr&r 



Received message could not be decoded. 



DecryplErmr 



Decrypted ciphertcxt js invalid. 



60 (\J Export Restriction 
\ \^rotocol Versiun 



Problem wilh U.S. restriction compliance. 



70 



The protocol veniion i$ not supported. 



71 



More secure cipher iuite oeedLid. 



iirwrnaiError 



Local error. 



90 



UserGanceled 



The party wishes to cancel the negotiation. 



100 



NoRemioihiSion 



The server cannot renegotiate the handshake. 



Handshake ProtOftM 

TI>S has made sorae ch^o^es in the Handshake Protocol. Specifically, the details of the 
Cert iftoate Verity rnessage<spjtl the Finished message have been changed, 

Certificate Verify Message 

In SSL n she hash used in the Certificate Verify message is the two-step hash of the hand- 
shake messages plus a pad and Sh^Aaster secret. TLS has simplified the process, The 
hash in the TLS is only over the har^h^ike messages, &s shown in Figure 17-44. 

Figure 17*44 Ho.TftybrCm(/fcotel*nJ5^^j.^ein TIJS 




Finished Message 

The calculation of the hash For the Finished message has also been changed. TLS 
uses the PRF to calculate two hashes used for the Finished message, as shown in 
Figure 17,45, 

Record Protocol 

The only change in the Record Protocol is the use. of KM AC for signing the message. 
TLS uses the MAC, as defined in Chapter 1 1. to create the EM AC- TLS also adds the 
protocol version (called Compressed version) to the text to be signed. Figure 17,46 
shows how the HMAC is formed, 



PTES J 7 SECUm^r THE TRA NSPORT L\ YER; SSL AND TIJ> 




Figure 1 7.45 Hc^hfor Finished message in TLS 



4 



"Oitm fin^S^f'-Jtir client 
"Server llnkb^J^ for server 



Fig ure 17.46 MM AC for TIS 





MAC Merer 
lc^-paddcd(o512 bftg 



-6 



o 

ipud:^pWlfi rfjK^ed 04 times 
apnd:B^iE=^Sc repeated 64 times 



Scqiiccijce 
number. 



t-nrn preyed 
lypc 



Cumprcssjed 
version 



Compressed 
tiin^tfi 



MAC Secret 
tab-padded to SrabEts 

opart 




MU5 orSElA-l 



j 











F 




512 


Mis.- 




1 ~ 



o 



MD5 or SNA- L 



T 



] 



ii\r\C" 



SECrtOK- /7.7 SUMMARY 545 



US RECOM MENDED READING 




following books and websites give more deodls about subject discussed in this 
f iteClS CT1Cl ° S&d br[ickf?ts refer 10 ^ reference list at the end of the 

[RcsOl J,QV]hO0J. [StaOo], [RhdBJ. and [FHS03J discuss SSL and TLS 

V 

WebSites^' 

The followiiig^bsite give mote information about topics discussed in this chapter 



■ 




■ .'A - 



17.6 KEY TERMS 

Alert Protocol ^ 
;mon various Dime-Hell man 
ChangcCiphenSpuc Protocol 
cipher suite 
connection 

data-cxpan&ion function 
ephemeral Dime- Hell man 
fixed Dif lie-He! Iman 
Forte zi<l 

Handshake Protocol 



Hypertext Transfer Protocol (1'lTl'P) 
key material 
master secret 
pre-roastcr secret 
Q pse u dorandnm fij nction (FRF) 
^£)JRecord Protocol 

tjJteeLire pockets Layer (SSL) Protocol 
siion 




Tr^j^urt Layer Security (WU$) Protocol 



17.7 SUMMARY Q 

□ A transport layer security protocol provides end-to security services for appli- 
cations that use the services of a reliable tsansporl layer protocol such as TCP. Two 
protocols are dominant today for providing security at the transport layer: Secure 
Sockets Layer (S SL) and Iran sport Layer Secsiri ty (TLS ) . 

U SSL (or TLS) provides services such as fragmcjilaliun, compression, message 
integrity, confidentiality and framing .on data received from the application layer. 
Typically, SSL (or TLS) can receive application data from any application layer 
protocol, but the protocol is normally H1TP. 

□ Die combination of key exchange, hasb h and encryption algorithm defines a cipher 
suite for each session. The name of each suite is descriptive of the combination. 



□ 



J 



□ 



»TER 1 7 SECUftfawiT THE TRANSPORT!* LA Yf.Rr SSL AND TLS 

To eschan|^uthentieated and confidential messages, the client and the server 
each need Rbceryptogrgphic secret*, (four keys and two initialisation vectors), 

SSL (or TLS) i^e^a distinction between a connection and a session. In a session, 
one party has thcvt^ of a client and the other the role of a server; in a connection! 
both parties have eqfl0 roles, ihey ?ue peers. 

SSL (or TLS) defin^our protocols in two layers: the Handshake Protocol, 
the ChangeCipherSpec Pta&tocoL the ASert Protocol, and the Record Protocol. The 
Hands hake Proiocol usefe A«yeral messages Lo ne^iate cipher suite, to authenti- 
cate the server for the dieifcMgd the client for the server if needed, and to exchange 
MomiaLioTi for building the^plographie secrets. The ChangeCipherSpec proto- 
col defines the process of mo^ig values between the pending and active stales. 
The Alert Protocol reports erro^And abnormal conditions, The Record Protocol 
carries messages from the uppfofayer (Handshake Protocol, Alert Protocol, 
ChangeCipherSpec Protocol, or application layer). 



17.8 PRACTICE SET 



Review Questions 

1 . List .services provided by SSL or TLS. 

2. Describe how master secret is created from pre-masteV§ea*el in SSL. 

3. Describe how master secret is created from pie-masler^ecset in TLS. 

4. Describe how key materials are- created from master seereHjs>£SL, 

5. Describe how key materials are created from master secreb^TLS 
6* Di stinguish between a session and a connec ii tin , ^\ 
l r List and give the purpose of four protocols defined in SSL or TlB^ 
K. Define the goal of each phase i n the Handshake protocol ^ 

6. Compare and contrast the Hand shrike protocols in SSL and TLS, 
10. Compare and contrast the Record protocols in SSL and TLS. 

i 

Exercises 



o 



] I . What is the length of the key msifcriaS if the cipher suite is one of the following; 
a. SS L_RS A_W rTH_NULL_MD5 
k SSL. J RSA_WITILNULL_SHA 
c. TLS„RSA_WTTH^.DES_CBC^StIA 
it TLS_RS A_ WITH_3 DE3_EDE_CH C_& HA 

e. I'LS_DHE_RSA_WrrH_DES_CBC_SHA 

f. Tl£ pi i_RS A_WITH_3 DRS_ EDE CBC SUA 



SECTION 17.8 PRACTICE SET 547 

12. Show the siumber of repeated modules needed for ekch case in Exercise I I 
(see Figure 17.9), 

Compare the calculation of the master secret in SSL with that in TLS, hi SSU the 
>rp pre-master is included three times in the calculation, in TLS only once. Which 
^alculation h mors efficient in terms of space and time? 

14. ^npare the calculation of Oie key materia] in SSL and TEM Answer Lhc following 
ildflstion*: 

a " tK c ^ ta ^ t:ulat ' 011 provides more security? 

b. wlnph calculation is more efficient in terms of space and time? 

15. The catefctotiou of key material in SSL requires several iterations, the one for TLS 
does notMkw can TLS calculate key material of variable length? 

16. When a .^spitjn is resumed with a new connection, SSL does not require ihe full 
bandshakin^oSocess, Show die messages, that need eo be exchanged in a partial 
handshaking. S\ 

1 7. When a session iylsumcd, which of the following cryptographic secrets need to be 
recalculated? ^ 

a. Pre- master secret ^ 

b. Master secret 

c. Authentication keys ^ 

d. Encryption keys 

e. TVs *^ 

IS. In jffipre 17,20, what happens <TtJte server sends the ChangeCipberSrttc message, 
but the client does not ? Wtsch it^ssages in the Handshake Protocol can follow? 
Which cannot? \J 

19. Compare the calculation of MAC insS^and TLS (see Figure 1722 and Figure 17.46). 
Which one is mon; efficient? 

20. Compare the calculation of the hash foK^tificateVcrify messages in SSL and Tl S 
(see 1 igure 17,35 and Figure 17.-44). Whicl^^ie is more efficient? 

21. Compare the calculation of the hash for Pinned messages in SSL and TLS (see - 
Figure 17,38 and Figure 17,45). Answer the following questions: 

a. Which one is tnon: secure? 

b. Which one is more efficient? q 

22. TLS uses PRF for all hash calculations except for Csr^eateVerify message. Give a 
reason for [his exception. < 

23. Most protocols have a formula to show the calculations of cryptographic secrets and 
hashes. For example, in SSL, the calculation of the master secret (see Figure 17.$) % 
as fb Hows (concatenation is designated by a bar): 



Master Secret = MD5 (pte-jjinatec I SUA- J ("^ ! prc^masEcr I CR \ SR» | 

MD5 (pit taster I Sl l A- J ("A" I ^niaster J CR 1 8R)> I 
MDS (pre-masUfct I SHA-1 ^A" I pre mier I CR I SR)} 



HAPTER 1 7 SECURITY AT THE TRANSPORT LA YER SSL AMD TIS 

Show^^brmula for the following-: 
a- Key rifttenal in SSL (Figure 17.®$ 

b. MAC in ^(Figure 17.22) 

c. Hash cale^a^a for Certificate Verify message in SSL (Figure 17.35) 
4 Hash c&lcubl^ for Finished message in SSL (Figure 17.38) 

e. Data expansionv^TLS (Figure 17-40) 

f. PRF in TLS (Figu^) 7,4 1 ) 

g. Master secret in TL^Iguj-e 1 7-42) 

h. Key material in TLS (E^ure 17-43) 

i- Hash calculation for Ccr^bate Verify message in TLS (Figure 17.44) 
j. Hash calcination for Finish^ message in T^ 17.45) 
k. MAC in TLS (Figure 17.46X5* 

24. Show how SSL or TLS reacts to^pjay attacL That is, show how SSL or TLS 
responds to an attacker that tries to n^ay one or more handshake messages, 

25. Show how SSL or TLS reacts to a bml^fcree attack. Can an intruder use an exhaus- 
tive computer search id find the encrypEkfo key in SSL or TLS? Which protocol if? 
more secure hi th h respect, S SL or TLS " 

26. What is the risk of using short-length Jreys Stl*SL or TLS? What type of attack can 
m intruder Cry if the keys are short? 

27. Is SSL or TLS more secure to a man-in-the-mluW attack? Can an intruder treale 
key material between the- client and herself and beQ:en the server and herself? 

X 

O 





□ 



rity at the Network Layer: IPSec 

This chapter has<^^era| objectives: 
J To define the ^^utccture of TP l Sec 

□ To discuss Ihe application of EPScc in transport and tunnel anodes 

□ To discuss how IP-Sep^can he used to provide only authentication 

To discuss how IPSefc^in be used to provide both con 
authentication 

To deline Security Association and explain how it is implemented for 
fPSec ^> 

To define Internet Key Exch^n^e and explain how it is used by IPSec 

The two previous chapters hav^sscussed the security at the applica- 
tion layer and transport layer. How^yjr, security at the above two layers 
may not be enough in some cases ^J^fiy-U not a|] client/server programs 
are protected at the application layer; example, PGP and S/MIME 
proieci only electronic mail. Second, not ^ client/server programs at the 
application layer use the service of TCP to be protected by SSL or TLS; 
some programs use Lhe service of UDP. Thied, many applications, such 
a^ routing protocols, directly use the servicfe^sf TP; they need security 
services at the IP layer v^S 

IP Security (IPSec) is a collection of protocols designed by the 
internet Engineering Task Force (IETF) to provide security for a packet 
at Lhe network level. The network layer in the Internet is often referred to 
as the Internet Pre; toco I or IP layer. IPSec helps create authenticated and 
confidential packets for the IP layer as shown in Figure 18,1. 



□ 



□ 



544 



\PTER W SEOWIY A T THE NETWORK LA YER- IPSEC 



Figure l&I 4gR/iP p 



suit? mid IPSvc 



TP 



r 



>* A 



] 



3 



=5? 



ii spurt 



J 



} 



JPSec is des]j;na3 
to provide security 
■ : " i lie network layer, 



I 



±1 



Physic 



IPSec can be, useful in several&a^ FirsL, ii can enhance the security 
Of those chenl/server programs, sitfkas electronic mail, that use their 
own security protocols. Second, it can<enhance the security of those client/ 
server programs, such as HTTP, feat usMje security services provided at 
the transport layer. It can provide secu^jtVfor those client/server pro- 
grams thai do not use the security scrvi©; provided at the transport 
layer. It can provide security for node- to- node communication programs 
such as routing protocols. \} 

© 



rTiiffuei mode. 



18.1 TWO MODES 

iPSec operates in one of two different modes: transport mode orS^to, 
Transport Mode Q 

In transport mode, IPSec protects what is delivered from the transponder to dm net 
work layer. In other words, transport mode protects the network layer patload. the pay 



^ , - f .v^ LJ u.u JiumjiMflyu 

loa<l to be encapsulate in the network iayer, as shown m Figure 38,2. 
Figure 18.2 iPSei- in transport mode 



o 



Transport Ijiycf 


Transport Layer payload 






I I 1 














Network .layer HaTl 







H: hearfer 
T: EraiScr 



H: header 



SECTION f$. 1 1WQ MODES 55 1 



Note Ekiat transport mode does not protect the IP holder. In other word;., transport 
mode docs not protect die whole IP packed it protects only the packet fram the tik&M* 
llKl layer (the IP layer pay load). In this mode, the IPficc header (and trailer) arc added 
^foXhe information coming from the transport layer, The IP header is added later 

■sfe 

IPS^): m transport mode does not protect lbc IP header: it only prelects the infoiTnatltiti 
^ - coming from the transport Jayer. t 



Tran^p&t mode is normally used when we need IiosMo-hcwi (end-to-end) protec- 
tion of dattT The sending host uses IPSec to authenticate and/or encrypt the payload 
delivered fromj^ie transport layer The receiving host uses- FPSec to check the authenti- 
cation andW^rtjrypl die IP packet and deliver it to the transport layer. Figure 
shows Uus concl^V 



Fi^ nre 1 Trans tten moth: in wi it wi 

— ^ 



3 



Host A 



Transport l?iy 



I 



IPSec layer 



3 Nt&^ufk liLvcr 



p.ick-ct 



Transport Inyer 

i 

3 NcLworlc ljrL>'E:i 



Virtual dommuciLcattftn 
the jKt*'i>iV Uyei 

~ 

Tumid M^dti O 

In tunnel mude, [PScc protects the [jacket It takes an [P packet, hici tiding the 

header, applies IPSec security methods ; entire packet, and then adds ii new IP 
header, as shown in Figure ISA 

— o . 

Figure 1K.4 fP£$ec in tunnel mode { 



Nclwork Jaycr 



lf-li 




r^i" 



tPScc layer 



TOT 



r 



rr-H ft 



M«Hi>ii ' 7 ^ 



New header 



The new IP header, as we witt see shortly, has different information than (he origi- 
nal IP header. Tunnel mode is normally used lierweeii two routers, between a host and a 
muter, or between a ranter arid a host, as shown in Figure IS. 5, In other words, tun rid 
mode is used when either the sender or the receiver is not a host. The entire original 



PTER IS SECV 




T THE MKTWGXK LA YF f & [PXEC 



Figure 18.5 Tunnel mud*, in action 

" 3* 



Route i A 



4 



Network tayer pi 



+1 



New Network ■ 
layer 




Network-Layer 
packet 



Q\ \ Vimuil communicflJioEL 
_X^fil Lhc network Jayer 

vT " 



— I Network layer 




I 



IPSec Buyer 



QIHB tfew Network 



et ir protected from intrusion b^ripn Lhe sender and She receiver, as if she whole 
packet goc.^ through an imaginary tuittfek 

" 7* 

cl mode prVaTe* 



Comparison 



IPSec in Lionel : pftfecte tlm oriRinaE IP header. 



In transport mode, the IPSec layer comes belwa^flie transport layer and the network 
Jayer. hi tunnel mode, the flow is from the networkrlayer to the iPSec layer and then 
back to The network layer again. Figure 1 8.6 compares the two modes. 



f i {TUTU ] f?.6 TraifjNir! mode versus tunttei mntie 



Application byer 




Trail aprjrl Jayer 




IPS 






,ul | 










IPSvrJsu'Lt 1 



Trans part Mode 



mm 




TusincJ Modr 



o 



18.2 TWO SECURITY PROTOCOLS 

IPSec defines two protocols)— the Authentication Header (AH) Protocol and the Encap- 
sulating Security Payload (ESP) Protocol— to provide authentication and/or encryption 
for packets at the IP level. 

Authentication Header (AH) 

The Authentication Header (AH) Protocol is designed to authenticate the source hail 
and to ensure the integrity of the payload carried in the IP packet. The protocol uses a 
hash function and a symmetric key to create a message digest; the digest is inserted in 



the authentication header. The AH is then placed in the appropriate location, based on 
the uhhIc (transport or tunnel). Figure 18,7 .shows the fields and (he position of the 
authentication header in transport mode. 

: 

v^fejre 18*7 Authentication. Ht*ade r (AH } pr&iccol 



D-iii-iL used in calculation of autticiitieation daia 
(cscepL those fields in IP htadzif chftqging slvriag trans irusscooj 




Rest of the original packet 




Nex( nearer 


Q DLLh 1 I = ■ i i :. 








V^cqjicnce number 




1 V 

(vaiHsi^tngth) 





<5 



2. 



3. 



When an rP datagram carrie^n authentication header, the original value in the 
protocol field ai the IP header i$ replaced by she vfjiue 5 ; , A -ie-ld inside the authentica- 
tion header (the nest header field) ntrjjis the anginal value of the protocol field (the type 
of pay Load being carried by (be TP digram), The addition of an authentication beaUcE 
follows these steps: "(J* 

I . An authentication header is added pay load with the authentication data field 

set to 0, O 

Padding nsay be added to make the tqtsX length even for a particular hashing 
algorithm. 

Hashing k based on the total packet. Howev^R only those fields of the IP header 
that do not change during transmission are included in the calculation of the mes- 
sage digest (authentication data). 

4. The authentication data are inserted in the autberf^Salioin header. 

5. The TP header is added after changing the value of the protocol field to 5 1 . 
A brief description of each field follows: 

LI Next header The ft -bit next header held defines the type, of pay load carried by the 
IP datagram (such as TCP, UDF h ICMP, or OSPF). It has the same function as the 
protocol field in the IP headei hefore encapsulation. In other words, the process 
Copies the value of the proiocoS held in the IP datagram to this- field. The value of 
the protocol held in the new IP datagram is now set to 53 to show lhat ihe packet 
carries an auiheniicatiuji header. 



ffl m SECURIT*^ THE NETWORK I A YER; IPSEC 

□ Payload leug^The name of this S-bit field is misleading. It dues not define the 
length of the pajload; it defines the length of the. authentication header in 4-byte 
multiples, but it d^ytot include the first S bytes, 

□ Security parnjnetc^dekx. The 32-biS security parameter index (SPI) fie Ed plays 
the role of a virtual Krrajit identifier aod is the same for al! packets sent dialing a 
connection called a SeVSn^ 1 Association (discussed later). 

□ Sequence number* A Jj^it sequence number provides ordering information for 
a sequence of daiaj^rams, Tjli -sequence numbers prevent a. playback. Mfetes that the 
sequence number is not repeal even if a packet is retransmitted, A sequence num- 
ber does not wrap around after^^aches 2 , a new connection must be established. 

■J \urlumiLi. , alion data. limdty, au threat ;oii daM ndd ;v iJv rcsuli n:' :r -o ly- 
ing a El ash f unci inn to the entire El^atagram except for the fields that are changed 
during transit [e.g., Lime -to-live), >r ^ 

^ 

The AH protocol provides source authentication and data integrity bsil not privacy. 





Encapsulating Security Pay load (ES1^> 

The AH protocol dees not provide privacy, only soTuWaudieuricaLion and data integrity. 
IPSec later defined an alternative protocol. Kricuj]&ulalixi£ Security Pay load (ESP), that 
provides source authentication, integrity, and privacy, ESP adds a header and bailer. Note 
thai LiSP 1 * authentication data are added at the end of the packet, which makes its calcula- 
tion easier. Figure IB. ft shows the location of die ELSP heautffltad frailer. 



Figure JK.H ESP 



Authenticated 



o 





* 




n 

Encrypted 


* — 


[P header 


ESIMiumIit 


'["he ces[ of the paying 


F.SV tniiler 



32 htK 





3 bite 



Pud Ecn^Chi 



Nf:vi lf£3)*<;r 



When an IP datagram carries an ESP header and trailer, the value of the protocol 
fie id in the IP header is 50. A field inside the ESP trailer (the next-header field) holds 
the original value of the protocol field (the type of payload being carried by die IP data- 
gram, such as TCP or L)DP). The ESP procedure follows these steps: 

1. An £SP trailer is added to the payload, 

2. The payload and the trailer are encrypted. 

3. The ESP header is added. 

4. "Die ESP header, payload, and ESP trailer are used to create the authentication data. 



SECt'lON IS. 2 mo SECURITY PROTOCOL 55 $ 



5 . The authentication data are added to the end of the ESP trailer. 
6- The IP header is mlikd uE'ier changing the protocol value to 50, 
vThe lieJds for the header and trailer are as follows: 

l£) Security parameter index. The 32-bit security parameter i rides field h similar to 
(^jjbt defined for the AH protocol. 
Salience number. The 32-bit sequence number field is simitar to that defined for 
(he^J-I protocol. 

%J Pacl^Jp. This van able- length field (0 to 255 by [cs) of 0* serves as padding. 

□ Pad Iti^Jh. The 8-bil pad-length field defines the number of padding bytes. The 
value isw^veen 0 and 25 5; the maximum value is rare. 

□ Next headepThe S bit next-header field is si mi Jar lo that defined Ln the AH protocol . 
It serves the^anie purpose as the protE*eol field in the LP Iteader before encapsulation. 

~J Authcnd^uWkWbi. Finally, the authentication data field is the result of applying 
an autbenticati<(r^chcmc to parts of the datagram. Note the difference between the 
authentication da^in AH and tiSP. In AH n pad. of the IP header is included in the 
ijakul alien of the au-tKen tic arson data; in ESP, i t is not. 

1 



ESPpruvidi' 



e authentication, datf* inli^rity, and privacy. 



0 

IPv4 and IPv6 

IPScc supports both IPv4 and U IPv6, however, AH m ESP jft part of the 
extension header. 

° 

AH versus ESI' 

The ESP protocol was designed after iho^Jl protocol was already in use. ESP does 
whatever AH does with additional functionriik (privacy) , The question i$ Why do we 
need AH? The answer is thaL we don't. Howp^ the implementation of AH is already 
included in some commercial products, whicrwrijpns that AH will remsun part of the 
Internet until these products are phased out. \ 



Services Provided hy IPSl s c Q 

The two protocols. AH and ESP, can provide several sri^nty services for packed at die 
network layer. Table IS.1 shows the list of serviees avajJ^Bp for each protocol. 

Tab le ISA fPSrc service* 



, ... Sen-ices.,. ,., 


AH:. ESF 


Access control 


yes 


yes 


Message authentication fngc&tijgj$ inEe^riLy) 


yes 


yea 


Entity aulhentient ion {data snurce authentication) 




yes 


Confidentially 




yes 


Rcpky aiuek protection 


yes 


yes 



■ 



Entity Authentication 



PTER IS SECUXgX AT THE WHWOHX IA YE/i: tPSEC 
Access Contrary 

IPSec provides a*c$s control indirectly using a Security Association Database (SAD), 
as we will see Id thijfaa section. When a packet arrives at a destination, and there is no 
Security Association steady established for this packet, the packet is discarded 

Message Integrity 

Message integrity is preserver, both AH and ESP. A digest of data is crated aiid sent 
by the sender to be checked tv/^he receiver 

<> 

The Secunty Association and the fe&ed-hash digest of the data sent by the sender 
authenticate the sender of the data in toft AH and ESP 

Confidentiality ^\ » 

The encryption of the message in ESP prortoes confidentiality. AIL however, does 
not provide confidentiality. If confidentiality wrWed, one should use ESP instead 
of AH, W 

Replay Attack Protection ^ 

In both protocols, the replay attack is prevented by'ipfsg sequence numbers and a 
sliding receiver window. Each IPSec header contains a uTnW sequence number when 
the Security Association is established. The number stai&jmm 0 and increases until 
the value reaches f - ] (die size of (he sequence numberQld is 32 bits). When the 
.sequence number reaches the maximum, it is reset to 0 a&jptt the same time, the 
old Security Association {see the next section) is deleted and a one is established 
To prevent processing duplicate packets, IPSec mandates the usprffca fijeed-size win 
dow at the receiver. The size of the window is determined by tfie>receiver with a 
delault value of 64. Figure IS.9 shows a replay window. The wiiM^is of a iixed 
Size, W. The shaded packets signify received packets that have be^n checked and 
authenticated. 

_ o 

o 



Figure 18.9 Rspfoy windw 



Fixed window $\?jt = W 



Packed iire 
rtisciirdcd, 




PacltiiEi 5HU maiGctid [f new jmrf McLhenricaccd . 



New ftiird authe nue^tt] 
pjuikeLs arc nwkoJ iiDtf 
winrfow slide 



SECTION Itt.3 SECURnr ASSOC i A i SON 557 

When a packet arrives at. the receiver, one of three Urines can happen, depending 
on the value of the sequence number. 

The sequence number of line packet is less than A 1 '. This pa.s the packet to the lett of 
the window. In this case, the packet is discarded. U is either a duplicate or its 
(^rrival time; has expired. 

2; vi*m: sequence number of the packet is between N and (N + W - 1 ) n inclusive. This 
puflT^be packet inside Che window. In this case, if the packet is new (not marked) 
ana passes the autbentieation lest, the sequence number is. marked and the packet 
is; accepted. Otherwise, ir is discarded. 

3. The sentience number of the packet is greater than {N + W - 1). This puts the 
packet i^thc right of the window. To this ease, if the packer is authenticated, the 
corrcsponYfi^ sequence number is marked and the window slides to the righl to 
cover the n*^fty marked sequence number. Otherwise ¥ the packet is discarded. 
Note that it ma^iappen that a packet arrives with a sequence number much larger 
than {N + W) i>erv far from the right edge of the window), In this ease, the sliding 
of the window irtay^ause many unmarked numbers to fall to the left of the win- 
dow. These packers; when they arrive, will never be accepted; their time has 
expired. For esampl^iti Figure J 8,9, if a packet arrives with sequence number 
0 + w + 3), the winowr^Iides and the Icfl edge will be at the beginning of (N + 3). 
Tins means the rjequcncBTNumbcr (N + 2) ta now out of the window. If a packet 
arrives with this sequence* number, it will he discarded. 




1 S 3 SECURITY ASSOCIATION 

Security Association is a v E( y importan^pect of IPSet. JPSec requires a logical rela- 
ticTsship, called a Security Association ffiA.), between two hosts, This section first 
discusses the idea and then shows' how it waited in IPSec. ■ 

C> 

Idea of Security Association X\ 

A Security Association is a contract between two; parties: it creates a secure channel 
between thern. Let us assume that Alke needs to umdirectjonally communicate with 
Bub. If Alice and Bob are interested only in the cotVi^nCiahty aspect oi" security, they 
can get a shared secret key between Lbem selves. We cWsay that there are two Security 
Associations (SAs.) between Alice, and Bob; one outbid SA and one inbound SA. 
Each of thftm stores vaiun p.i \ \\c. key n: a v?,ria*i|r sod \ \>i i name of -he - n^::yr:ujn- 
decryption algorism iel another, Alice uses die algorithm and Lhe key to encrypt a uses- 
sage to Bob; Bob uses the algorithm and the key when be needs to decrypt the message 
received from Alice. Figure IS. 10 shows a -simple SA. 

The Security Associations can be more involved if the two parties need (Message 
integrity and authentication. Each association needs other data such as the algorithm 
for message integrity, the key. and other parameters. It can be much more complex if 
the parties need to use specific algorithms and specific parameters, for different proto- 
cols, such as IFSec AH or IFSec ££R 



TER i 8 SECURfg&A T THE NETWORK M YER; JPSEC 
" £\ 



Figure 18.10 SwpleSA 



AEgOiittim 

Us 




Boh> 




Outbound 



In boun d 



Security Association Database $$>LD) 

A Security Association can he very compJex. This is particularly true if AEi.ce want a lo 
send messages to many people and Bob ne^ to receive merges from many people, 
in addition, eaeh sue iiqctls to have boLh snbo^mJ and outbound SAs to allow bidirec- 
tional communication. In other words, we need j^%S df SAs that can be collated iaiu. a 
database. This database is called the Security AsJn^tion Database (SAD), The data- 
base can be thought of as a two-dimensional LibleVjlh each row defining a single SA. 
Normally, there arc two SADs, one inbound and oncOwtbotsnd. Figure 18.1 1 shows'lhc 
conce.pt of outbound and inbound SADs for one entity • \ 

Figure IN J I SAD 




Seturi'.y Association UaSafrj^e 



SPh Security Parameter Tndcs SN: Sequence Number 

DA: DeiHn.itiort Address OF: Osrituw Flag 

AI WS8PS Es-irOrmflliaEi far either one AJW: A n1 i Replay Wi nrlo w 
P: Protocol LT: Lifetime 

Mode: SPSct Mode Fl*g MTU; PaCti MTU (Maximum 

Transfer (JreO 



o 



When -a host needs to send a paekci that must carry an IPSec header, Lhe host 
needs lo find the corresponding entry in the outbound SAD to find the information 
for applying security to the packet. Similarly, when a host receives a packet that 



■ 



section /& 3 SECUkrrr a ssqcia tion 



carries an EPSec header, the host needs to find She cr>rres ponding entry in the 
Abound SAC to find the information for checking the security of the packet. This 
V^tfching must be specific in the sense that tlie receiving host needs to be sure lb ai 
correct information is used for processing Lhc packet, Each entry in an inbound SAD 
is seiccjed using a triple index: security parameter index, declination address and 



protfte*)!, 



Q Stt^^ity Par am yter Index. The seenriiy parameter index (SPI) is a 32-bit num- 
ber tl^t defines die 3 A at the destination. As we will sec later, the SPI is deter - 
mineo v diiring the SA negotiation. The same SPi is included in all IPSec packets 
belonging W^thc same inbound SA. 

Q De^tiiiiiOOt^Address. The second index h the destination address of Lhc hosL We 
need to renumber thai a host in the Internet normally has one unicasl destination 
address, but ay have several multicast addresses. IPScc requires thai the SAs.bc 
unique for eachrEttestinarioii address. 

Q Protocol* iPScc^&ftwo different security pro(c>cols: AH and ESP, To separate (he 
parameters and information used for each protocol, IPSec requires that a destina- 
tion del me a dil't'ercnLSA for each protocol. 

The entries for each row are^lled the SA parameters. Typical parameters arc shown in 
Table 18.2. v_ 



\5 







$ti[\j£m:v Kurnller Counter 


This ss^r^irbit value that is used to generate sequence num- 
bers for^J^ftH or ESP header. 


Sequence Number Overflow 
i 


This is a da^injU defines, a station^ options in the event of a 
sequcnee nutd^p overflow, 


AnU-Rcplay Window 


Thi.w d-triEc^s :»i L©Miid splayed All or ESP packet 


AH [nfnrmiUHJH 


Thi* section et>Tita.i(^^rtfo[]natJon lor like AH protocol; 

1. Aiilhenticaiiort algorithm 

2. Keys 

3. Key iifctirne v. 

4. Orber related parametetsj 


ESP Fn format ioii 


This section contains inlbrrfirijjbn for ihtsESF protocol: 
E . Encryption algorithm 

2. Authentication stgoriihin 

3. Keys 

4. Key lifetime 

5- Initiator vectors 

ft. Other relaled pa rm meters 


SA Lifetime 


Tnis defines the lifetime for the SA- 


IPSec Mode 


This defines the mode., transport or turnteL 


l*aih MTU 


This defines ibn paLh MTU (IVa^menLalkon). 



PTER J8 SECURm£jj.TTHF, NETWORK LAYER: 1PSEC 

4* 



18.4 SECU^TY POLICY 

Another import ^pecf^f IPSec is the Security Policy (SP), which defines the type; of 
(security applied to u padl&fi when it is to be sent or when il has arrived. Before using die 
SAD, discussed in the prevtf^is section, a host must determine the predefined policy for 
tile packet. (S) 

Security Policy Database v^) 

Each host that is using The IFSec^tocol needs to keep a Security Policy Database 
(SPD). Again, there is a need for OTtri^ound SPD and an outbound SPD. Each entry in 
the SPD can be accessed using a scxlurip index: source address, destination address, 
name, protocol, source port, and destinaTWpcrt, as shown, m Figure ] B.t2. 



Figure IX. 12 SFD 



< SA, IDA, N'ftint 1 , J. S Pott, DP OH > 












>-V. ' ■! 

." i ■ '.■ i "iii I 


<SA T DA, Nunc, F, SFon H DFtwl ? 










■ ' — 


... . s 

! 


< SA, DA, Name, F' r SFoot, f>Pon > 








1 


■■ ! 
i 


< SA, DA, Nam*, P, SFnrt, PPort> 






ii 




1H 



& A : Source Address SP-nrt: SourtM Pent 

D A: DcsLLFUTion Address DPort: Dcstioatioa Pan 

r h : Protocol 



o 

Cr 



Source and destination addresses can be unieast, multicast, or wlldc#rd addresses. 
The name usually defines a DNS entity. The protocol is either AH or ESPmie source 
and destination ports are the port addresses for the process running at theWrce and 
desti nation hosts. \J ' 

ouml SPD 



When a packet is to be sent out, the outbound SPD is consulted. Figure IS. 13 shows the 
processing of a packet by 3 sender. 

The input to the outbound SPD is the sextuple index; the output is one of the three 
following cases: 

1. Drop. This means that the packet defined by the index cannot be sent; it is 
dropped. 

2. Bypass. This means that there is no policy for the packet with this policy index; 
the packet is sent, bypassing the security header application. 



\ - 

Figure IS, 1 3 Outbound processing 



SECllQN 18.4 SECURITY PQUCY 56 L 



% 



Alice 



ication layes 



pan layer 



Index Policy 




OLiLbaujidiiPD 




OtLttKiuiicI SAL) 





- h 









IPS' 


L" 1 











Data-Sink and 
Physical layers 



+ To Bob 



3. Apply. In this ease* the security he; iplied. Two situations may tx:cui". 

a_ 16" mi outbound SA is already csLabtish<k^m& triple SA index is 
returned that selects, the correspond Lug S^ftorn the outbound SAD, 
The AH or HSP header is formed: cnerypti^, authentication, or boll) 
are applied based on the SA selected. The pa^t is transmitted, 

b. If till outbound SA in noL established yet, the Indict Key Exchange 
(IKE) protocol (gee Uic next section) is called mutate an mitbound 
and inbound SA for this traffic. The outbound S A is added to the out- 
bound SAD by the source; the inbound S A is added to the inbound 
SAD by the destination. 



Inbound SPD 

When a packet arrives, the inbound SPD is consulted. Each entry in the inbound SPD i| 
also accessed using Che same sextuple index. Figure 1 8. 14 -shows the processing of a 
packet by a receiver. 



WTEitiX SZCufayAT THE NETWORK LAYER IPSEC 

4*. 




Figure IHJ4 Tritwtinri pnjr? sting 



X 



2 



■o 



Application Paver 



Transport Uycf 




t 



IKSlv tin- 




INK 



Yea 

















it. 




1 



So 




TiuJck Policy 



mm ^ixjunrt sfd 




Fram Alice 



1 



1 - Di^anL This means gg the packet defined by that policy raust be droSs 
" STf * inCnnS ,hat there iS n ° f ° r a P«*« with this policy jndft 

a Apply. 

Lt^r nd ^ " aI ^ Jy eStab,ifih ^ SA ^ * returned 

elects (he contending inbound SA from the inbound SAD IW'n 
"on. autheniicalion, or both are appH^. If ^ pjlcket ^ & 

5E£S££ m ,lcader » " d *§ ! 8SS3 

b. H an SA is n0 | yet established, the packet must be discarded. 



SECTION IS. 5 INTERNET KM EXCHA NGE (IKE) Sf>3 



18.5 INTERNET KEY EXCHANGE (IKE) 

^nlermil Key ttxehan^e (IK I-]) is a protocol designed to create both inbound and 
oufcround Security Associations. As we discussed in the previous section, when a peer 
need^To^end an TP packet, it consults the Security Policy Database fSPDB) to see if 
then: 5^h, SA for that type of traffic. If there is no SA 1 IKE is called to establish one P 

0 ,; 

I K E create Si A k for I PS tic. 



IKE is a capflfdex protocol based on. thtiee other protocols: Oakley, SKEME, and 
ISAKMP, as sbotfliip Figure IS IS- 



Internet Kjfcytu&aiteje (IKE J 



Oaklty 



A 



Jbyki! 



The Oakley protocol was developed b_^j$ilarie Orm<tn. It is a key creation protocol 
based on Che Difffc-Henman key-exchange mpfkod, bin wilh -some improvements as we 
shall see shortly. Oakley is a frcc-forrnatted prmocol in the sense that ii doe*; not define 
the formal of the message lo be exchanged. Werdo not discus the Oakley protocol 
directly in this chapter, but we show how 1KB us^rts ideas. 

SKEIVOs designed by Hugo Krawcyzk, is another protocol for key exchange. It 
uses public-key encryption for entity aiithenticaliojrfl^a key-exchange protocol, We 
will see shortly that one of the methods used by TKE jsJkw-cq un SKENE. 

The Internet Security Association and Key Mauaferaent Protocol (ISA KM P) is 
a protocol designed by Sfefc National Security Agency (NS/^iat actually hnplemenrs the 
exchanges defined in IKE, It defines several packets, protocols, and parameter thai allow 
the IKE exchanges to take place in standardized, formatted messages to create SAs. We 
wilt discuss ISAKMP in the next Section as the carrier protocol lhai implements IKE. 
hi this section > we discuss IKE itself; die mechanism for creating SAs for fPSec. 



Improved Diffie-Hdlman Key Exchange 

The key-exchange idea in IKE is based on the Diffie-Hcllman protocol. This protocol 
provides a session key between two peers withoi.it the need for the existence of any 



T£/f / S SECVRWtAT WE NETWORK LA rZR: IPSEC 

\ 

previous secret. We have discussed Diffie-Hellmao in Chapter 15; The concept is sum- 
marized in Figure 1 8 JS, 



Figure 13,1 6 Diffis^H^^t key change 



KE-I = jr 1 mod ft 




Value of p and # 




KH-R mod p 



-EZE 



1-1 





In [he original Diffie-Hellman key exchange, [i^pajHes create a symmetric ses- 
sion key to exchange data without having to remenibe* Drjrore [he key for future use 
mm mmmtig a ^mm^ key. the iwd parties nc^ttftaoose tws numbers p and ff ! 
The finU number, jj, is a large prime on the order of 3fflfWiniaI digits (1024 bits) 
second number, is a generator In the group <Z p *, x^AJke chooses a large ran- 
dom number i and calculates KE-I = mod p. She sends l4f?4 to Bob. Bob chooses 
another large random number r and calculates Kl>R = g r He sends KE-R to 

AtLCe. We relei r, Kli I nnrl Kk R ,s iMi^lMfottn half- kev^g^ rath „ ,= half- 
key generated by a peer They need lo be combined together to-riWe the Ml key. 
which isK = x " mod P , K i.s the symmetric key for the session. f\ 

The Diflie-Kellman protocol has some weaknesses that need Wfee eliminated 
*fc il i s s u i tab le as an Inte met key exchange. C 



before 
Clanging Attack 



O 



The lirel issue with (lie Diffie-HtJIman protocol is lhe clogging attack or ttptta!*<?f- 
xervke attack. A malicious intruder can send many half -key ig* mod q) mtSSes lo 
Bob, pretending that they are fr&aj different source. Bob [hen needs lo cakulateVffer- 
em responses (# v mod q) and aL the same time calculate the full-key (j* mod ? ). This 
keeps Boh so busy thai he may stop responding In any other messes. He denies : 
vices to clients. This can happen because the Diflie-Hcllman protocol is computati 
ally intensive. 

To prevent this clogging attack, we can add two extra messages to the protocol to 
iorce the two parties to send cookies. Figure 18.17 shows the refinement (hat can pre- 
vent a clogging attack. The cookie is the rcsuft of hashing a unique identifier of the peer 
(such as IP address, port number, and protocol), a secrel random number known to the 
parly that generates the cookie, and a limestamp. 



ser- 
ion- 



SECTION M 5 INTERNET KEY KXCHA NOU ( IKE) 565 



Figure 18.17 Djffie-Hetltntw with tookies 



X 
% 



[ui utad ?i 



Kts ponder 




Value of p ailtf g 



i LP 


■ Cookie-. 


1. ■ 






^ . j 



OobkieJ, Cuokio-R^KE-l 



KE-k - jf ' mod p 




0 



StutrccS secret key 

0 

K- S ir m>:hj a 



— © ; 

The initiator sends its own o&okipL the responde-r its own. Both cookies are repeated, 
unchanged* in every following me^fSatee. Tnc calculations of half- keys and the session key 
art postponed until the cookies an: rcj)Ane£k tf any of the peer* is a hacker attempting a 
dogging attack, the cookies arc not retimed; the corresponding party does not spend ihe 
time and effort to calculate the hadf-keWcthe session key. For example, if the initiator is 
a hacker using a bogus IF address, the iQjifflEor docs not receive tile second message and 
cannot send the third message. The prixes^-aboned. 

: 

IVi pnitccl aguicl^t ii clogging ^R)lck T 1KB uss s LtfrukiOS. 

Replay Attack ^ 

Like other protocols we have seen so far, Diffie-3zMlmaii is vulnerable to a replay 
attack; the information from one session can be reprayad in a future session by a mali- 
cious intruder, To prevent 13 lis, we can add nonces ioShjajhiid and fourth messages to 
preserve the freshness of the mes sage. 



To pnjtacl against a replay attack, IKE ust* iioiicl.s. 



Man-In-The-Muldte Attack 

"The tbird T and the most dangerous, attack on the Diffic-Hellnian protocol is the man-in- 
[ he- middle attack, previously discussed in Chapter 15, Eve can come in die middle and 
create one key between Alice and herself and another key between Bob and herself. 
Thwarting this attack is not as simple as the other two. We need to authenticate each 



*mt 1 8 SECURfJDM T THE NFIWORX IA YER ■ IPS EC 

Authentication ^he messages exchanged ( messa ge integrity) and the authentic 

.SSSTSl (tnLi ? auEheXllEcar ™> ^ «■* <m my Proves his/her 
claimed identity. To do tWach must prt >ve thai ii possesses a secret. 



To prow agaills t man-i.^Uuddlc attack, iKE rttpdn* lhat each pan* she™ 
fly^t it possesses a secret. 



In IKE h the secret can be sne ol^e following; 

a, A preshared secret key ^> 

b. A preknown cncryphoE./dccrypt^^blic-tey pair. An entity must show that a 
message encrypted with the an nonpublic key can be decrypted with the corrc^ 
spoil ding private key, \>» 

ft A prekno.n digital signature pt,blic-key An entity must show that it can sign 
a message w,di to private key which can & gifted with its announced public key 

IKF Phases V 

IK " 4:rCaU,S ft> ! " -"^- f .«:har A epror,Kx,] s.u* : k R'Sc. IKI:. however, to 
"""f" 0- Und f * cnti ««<* usages. What ^ocoi provides SAs lor IKE 

« SlSS"^ 1v ^ *" rcqU,n5S " OfSA,; IKE must 

create hAs or JPSec, protocol X must create SAs for IKE, pXecl Y needs to create SAs 
for protocol X and so on. lb solve this dilemma and , at the sXL, lte makc rKE 
Pendent of the iPSec protocol, the designers of IKE divided tRimo m phases In 
Phase I, IKE creates S A, for phase []. In phase )I T IKE creates SAPfpr FPSec or som 
other protocol. Phase I is generic; phase i] is specific for the protoco^f^) 

, 

IKF ' iS ^l ivf0 1 ««• II- Phase . creahsSAs Wph™ H- 
Pa** II creates SAs for a data exchange protocol SUC h as IPS * • 



StSa, the quesbnu remains: How is phase J protected? In the next sections Sftow 

T ^ ^ ,httt iS fQnned in a * raduaI Brttar nea^&L 

' SS^rif ™ SS ^ ™ d with the keys 

crcjEea Trom the earlier messages. 

Phases and Modes 

To allov, for a variety of exchange methods. IKE has defined modes for the phases So 
mode .crTh r^/T^ ?h T * ^ "* ^ aDd ,he a ™* s ™ ™* ^ «Hy 

Se, tdt^! " ^ ** iU8 Sh(,WS ^ * bet^n 



SECTION 1 S. 5 ItffERNirr KEY EXCHANGE (IKE} 567 



Figure 1#AH IKE Phases 



% 
x 



Phase- | 



Mum MqeIe 

Six ■ryrtdsangcj- 



1 



ARftreSBivc Mode 



T 



d 



Ph^ IL 



■-■ — . 



■ • < 



— im i ill" i 



End 



Based on the namr^ohuHe pre-secret between the two parties, die phase F modes 
can use one of four dif!erc^t^uthcnlicatioii methods: the presftared secret key method, 
the originaE public-key rneih^$ the. noised public-key method, or the digital signature 
method, as shown in Figure 18|^. 

■ 




de methods 

















Prc-shared 




OrigjcLul 








Distal 


SflCnSC key 




puh3ic icpv 








signature 



a 

Phasic I: Main Mode O 

hi the main mode, the initiator and the rcsponder exchangtf^t messages. In the first two 
messages, thefy exchange cookies (to protect against a clogging attack) and negotiate the 
SA parameters. The initiator sends a series of proposals; die rcsponder selects one of them, 
When the first two messages are exchanged, the initiator and the responder know the SA 
parameters and ate confident that the other party exists (no clogging attack txicurs), 

In the third and fourth messages, the initiator and res ponder usually exchange their 
half-keys (j> r and g r of theDiffie-Helirnan method) and their nonces (for replay protec- 
tion). In some methods Other information is exchanged; that will he discussed Eater. 
Note that the half-keys and nonces arc not sent with the first two messages because the 
two parties must first ensure dial a clogging attack is not possible. 



(AFTER J SECl&pCY AT THE NETWORK I A YER: IPSEC 

% 

After cxuftmigiFig the third and fourth messages, each party can calculate the com- 
mon secret between them in addition to its individual hash digest.. The common secret 
SKf-lYUl f secret *$lp ) is dependent on the calculation method as shown below. In the 
equations^ prf { pseXMj&random function) is a keyed-hash junction defined during the 
negotiation phase. ^) 





m 4 I ' - I*""! 

L ." EJr* 




i ! i areiS-Jscy incrthpcS) 



Other common secrets are calctspted as foElows 






SKEYlD_d (derived key) is a key to create otter Jots. SKEYlD_a is the authenti- 
cation key and SKEYlD_e is used for the encryption) key; both are used during the 
negotiation phase. The first parameter (SKHYID) is equated for each key -exchange 
method separately. The second parameter is a coneatenatHxi of various data. Note diat 
the key for prf is always SKHYID. 

The two parties also calculate two hash digests, HAStM^uid HASH-K, which are 
used in three of die four methods in the main iriode. The caSetiMion is shown below 






Note that the first digest uses ID -I* while [he sec and uses ID-R. Jiothpy SA-T, the 
entire SA data sent by the initiator None of them include the proposal se^jxgd by the 
responded The idea is to protect the proposal sent by the initiator by pre^en,iing an 
intruder from making changes. For example, an intruder might try to send a list of pro- 
posals, more vulnerable to attack. Similarly, if the S A is not included, an intruder might 
change the selected proposal to one more favorable to himself. Note also a party does 
not need to know the ID of the other party in the calculation of the HASH*. 

Afier i-alculating Ore keys and hashes, each party sends the hash to the other parly no 
authenticate itself. The initiator sends HASH- J to the respouder as proof that she is Alice. 
Only Alice knows the authentication secret and only she can calculate HASH-I. If the 
HASH-I then calculated by Bob matches the HA5H-1 sent by Alice, she is authenticated, 
in the same way, Bob can authenticate liiinself to Alice by sending HASH-R. 



SECWON 1 8 J INTERNEf KEY EXCHANGE {IKE} 569 



Note thai dicrc is a subtle point here. When Bob calculates HASH-L lie needs Alice's 
ID arid vice versa, tn soncte methods, the ID is sent by previous messages: in other* it is 
se^JWh the hash, with both the hash and the ID encrypted by SKEYID.e. 

Prenhft^J Secret-Key Method 

bi the pt^ared secret-key method, a symmetric key is used Tor authentication of the 
peers to ez^ other. Figure 18.20 shows shared-key audientication in the main mode. 



Figure 18,2© mudg, preshtiMti xecrei-kpy method 

"V 

KE-l (Kt-R): t^knor's frcspcindcr's) half-kty HDtt: General header indudinjg cookies 
H i (N-R): 3ni WrXiTTc^dcf^) rumrc Encrypt with SKEYTD.e 



(ft 

KASIM CHASIi-Rf^fnftiaKtr 's (raponder's) hash 




frt key ] 



KDR, SAAj 



RespofltUsf 

A. 



HDK, KB-[. N-I* 



6 






i; SA-sefcetaJ . 






.HE 











F!l>R h 










Reauir: S A for Phasifc E 



In the first two messages, the initiator and responde^&cbange cookies (inside the 
general header) and SA parameters, In the next two messes, they exchange the half- 
keys and the nonces (see Chapter IS), Now the two parties teijLcreate SKEYID and ±c 
two keyed hashes (HASH J and flASH-R). In the fifth andr£i*th messages, the two 
parties e^xhtri^e rhe created hashes and theij IDs. To proicct lhe IDs. and hashes, Lhe 
last two messages are encrypted with SKEYID_e. 

Note that the pre -shared key is the score L between Alice (initiator) and Bob 
(responder). Eve [intruder) does not have access to this key. Eve cannot create SKEYID 
and therefore cannot create either HASH-I or HASH-R, Note that die IDs need to he 
exchanged in messages 5 and 6 to a! Sow (ho calculation of the hash. 

There is one problem with this method. Bob cannot decrypt the message unless he 
knows Lhe prepared key, which means he must know who Alice is (know her ID). But 
Alice's ID is encrypted in message 5. The designer of this method has argued that the 



\PTER !S 




A T THE NETWORK IA YER: IPSEC 

m lhis f™ 1 "* the TP ****** of P"*- m IS nol an issue if Alice is on a 
WW*® M (me IP address j, fixed). However, if Alice is moving from <> ne network 
to another, this is ^rWm. 

Original Public-Key tftffaod 

1.1 the origin,] public^yV^thod. ft, ^ the ^ 

showing that they possess a |^ate key related to their announced public key, 1W 1 g 2 

shows the exchange or messa*^ using the original public kev maboH * 

s <> , ' 

Figure 18.21 Mmn mtf% origirujU&&ii c -kev method 

• — *o — 

HDH; Genera! header jnc 8 Lid 5 n d cookies f C\ „ \. n „ n ^> r *i 

[ jjg Lnejjpred wiN) initiator's public key 



.n.^tm , . # V S3 ^nc^pred wiN] initiator^ public key 

Kb-J (Kb R>: EnLttdt^r's tresjmndcr's) haJf-kpJ( 7£ ^ K 

N-f (N R): Initiator's (respondcr'sj nonce v. W Encrypted wirh reapond^ Public key 

[D- I ( JU- R); Jnitiasnr 'if (responder 's) TD \^ ft Eiicrypretf w Eth SKE Y [D_c 
HASH -I (HA5H-R): InkCaac^r's (responded ) hasl^^ 

-49 



Initiator 

O- 



Pyblic keys 1 



HDR, SA-nffFflrad 








lyases 




* — . — 













Result: SA for Phase JJ 



o 

_2> 



mmm*m*~~^~» £ 

W * e J " iUalor its ha| f"^. ^e nonce, and fte ID, In the fourth message the 
responder does hkewise. However, the notices and IDs arc encrypted by the public lav 

F i^t TZT£i dSC ™^ ** ** ° f *m * m be -en from 

Fiym. 1 8.2] the nonces and IDs are encrypted separately, because, as we will see Jaicr 
mey are encoded separately from separate payloads. 

One difference between this method and the previous one is that ihe IDs are 
exchanged with the thud and fourth messages instead of the fifth and sixth messages 
l ne htth and sixth messages just carry the HASHs. 



SECTION 18.5 iMTERN£T KE}' EXCHANGE (IKE) 571 



Tne cjiJculauun ufS KEYED to this method is based on a hash of the nonces and the 
• symmetric: key, Hie hash of the nonces is used as the key for the keyed-HMAC function, 
^ethal here we tise a double hash. Although SKEYID, and consequently, the hashed 
ar^mt directly dependent on the secret that each party possesses, they are related indi- 
recmcoSKEYJD depends on the nonces and die nonces can only be decrypted by the 
privareW (secret) of the receiver, So if the calculated hashes march those received, it 
is prooi^u each party is who it claims to be, 

Revised Ps^c-Key Method t 




The original tyjblic-kcy method has some drawbacks. First, two instances of public-key 
eneryption/deO^Lion place a heavy load on the initiator and responder. Second, the 
initiator cannot afnjl its ccrtitieafe encrypted by the public key of die re.^ponder. since 
anyone could do tT^jjy ith a false certificate. The method was revised so that the public 
key is used only to tn^t a temporary secret key, as shown in Figure 18. 22. 

5 " 

I 1 1 pi IX 18, 22 Af tn n mpdtfrbviscd ptiblu:-kxv method 



HDR; General header jndudi ng ^o&kim& 
KH-1 (KH-K): Initiator"* (rcarwndeyfc^atf-key 
{ '.cn-t (Ccfl-R) - Tn iliaLor^s {ncaponobr s) ccrtifitinD; 
IS r -[ (N-R): l^ilintor's (respondcr"?) n<ftc* a 
t£fcl flD-R): TniLiatDr'H (nsspemder's) 
BASH I {^SH^i (niEiator's (reSixmdi^^Aah 

Initi ator 



t A Efwyptod wilh initiator's public bey 

EncryplcJ wjih respundcr's public key 
ft A Ensxypled wilh responded sckeeI koy 
S 6 tncfypted with initiator* i-ecrcL key 
jjfr Encrypted wilft Sf£EYID_e 








■ft 






HDR 




HA1 


ft 





Result SA tor Phase 



nj 



Note that two temporary secret keys are created from a hash of nonces and cook- 
ies. Hie initiator uses the public key of the responcfet lo send its nonce. The rcsponder 



*TER IS SECURI^T THE NETWORK LA YER: IPSEC 

.decrypt the norland calculates the initiator's temporary secret key. After that the 
half-key, the TD S Snathe optional certificate can be decrypted, The two temporary 
secret keys, K-l aiid w-u>are calculated as. 




Digital Signature Method 

In ihis method, each party sh^w^jat it possesses the certified private bsy related to a 
digital signature. Figure ! shSw^the exchanges in this method. It is similar to the 
preshared-kuy method except for tlmJJKRYlD calculation 

\fl 

Figure 18.23 Main mode, digital signalling? thad 

— ■ ^ 

HXyR '* Genml hcadcf i deluding cookies (N-R>: In iti (rcsponrter^ nonce 

Sig4: Initiator's *[gniuuic aD mt«^ M tO^IKF-R); Initiator's (ftspondei-'s) haEf^ 

S^-R: rmtiator'!, sit-ruLLurc OR ti]<m£u B cs 1-5 (OTp^R): tnitiator's £te*pondcr's] H> 

OErt-I fCcrt'R): Initiator^ (respondcr'sO ccriifiuiic A knervpfed with SKEYID c 



rnilinlUr 




Dtgi.[&L signature k<-.y 



HDTt, .SA-offeied 




NHR. KE-], N-l 



TTFMi H- a i f J 











© 




Note that in this method the sending of the certificates is optional. The certificate 
can be gent here because St can be encrypted with SKEYlD_e r which decs not depend 
on the signature key. in message 5, the initiator sign* all the information exchanged in 
messages ] to 4 with its signature key. The responder verifies the signature using die 
public key of the initiator, which authenticates the initiator, likewise, in message fi, the 
re sponder signs all the information exchanged with its signature key. The initiator veri- 
fies the signature. 



4. SECTION 18.5 INTERNET KEY EXCHANGE (IKE) 573 

\ 

^ZPhase I: Aggressive Mode 

•Each aggressive mode is a compressed version of the eorresponding main mode, Instead 
inessages h only three are exchanged. Messages 1 and 3 an: eombined lo make d^e 
:ssage. Messages 2. 4, and 6 are combined lo make the second message Message 5 
is scr^p the third message. The idea is the same. 

Preshoft^Key Method 

Hgure iS^Hjhcws the preshared-key method in the aggressive mode. Note that after 
receiving [mQirsl message, the responder can calculate SKEYTD and consequently, 
HAKH-R, BnlytTie initiator cannot calculate SKEYTD until it receives the second mes- 
sage, HASH-I iy^he third message can be encrypted. 

^ 

tf* 

Figure 18-24 AsgW S^j)^ m&de, pr^shared-k^y method 



Ki>I (IK-JO : Initiator"? (ra*5oiKicr h s) haJf-kc y WDR: GejjeraS header including caches 
N - [ (ft -ft): itusJiUDi k (responjjer "s) rtouce jj§ Uncry ptod wi Lh S KEYlD_e 

HASH-l (HA5H-R): Inituit^^^respt.Qdcr'E) hash ID-1 {ID-R): tnitiitfar'K (ira ponder '5) ll> 

C 

h'cshjirecj key ^ 



Rcsponder 




HDIC SA-Ci!"t>^;4j 




i 



ResuJt: SAf 



II 



o 



Original Public-Key Method 

Figure L shows the exchange of messages using die 
aggressive mode. Nfote that the responder can calculate 
receiving the first message, but the initiator must wait until i 




public-key method in the 
YID and HASH-R after 
sves the second message. 



Revised Public- Key Method 

Figure 18,26 shows the revised public-key method in the aggressive mode. The idea is 
the same as for the main mode, except that some messages arc combined. 



Digital Signature Method 

Figure 18.27 shows the digital signature method in the aggressive mode, ! l"he idea is the 
same as for the main mode, except that some messages are combined. 



iPTER i 8 SECU&Y A T THE WfTWOfiK LAYEH - IPSEC 

, 2a «^n?j-.Ti t»F mode, nngmal pubtickey method 



Figure J8, 




HDRi General h^cr\S^ing cookie 1 M Encrypted mih. initio's public 

KE I (KE-R): hkitiaior's torfpondcf'ft) half-key t. *£Sb r- 

K-T (N-R) : Irti^r", (rar^r's) r^ce ®*J E ^ pCCr1 "V 00 ** P^lic key 

EJ3-T fID-R): fnitiilor "s {re Sj*4pdl£ r s) [ D 0 Encrypted walh SKEYID^c 

V\ _ HASH -I (IlASH-RJ: Initiator** ^ponder"*) hash 
Initiator ztn 




— 



■ 



; |f|£^,KfcR; HASHER 

■ — 



Figure 18,26 Agfiwxsive motfe wised publicly rw.fkod 



55 



HDR; General header including crjokiey 
KE-! fKE-R>: Initiator's ^ponder 'kJ rmJf-fccy 
Cert-1 (Cert-R): Initiator's (rrHpnwieVs) ccrtjficutE 
N-I [U-R}\ fiiiLiiacor's (responder 's . none* 
lD-[ (ID-R)r Initiator's (respondcr's) ID 
HASH-i (HASH-k): liiitiuior"* (respondcr 1 *) tULsh 




■Piats-LLc 



imlialor's public fcev 

R ^ Encrypted witi^^iiider's secret key 

: SCcrtt key 
Eaicryptcd nvich SKETI^£e 

llder 



jy_y* | 



HDR, SA-nfTemt,' 



R 




i 




HDR. SA-sclcctfitf, 




HASH ft 




Result: SAfurPhrat 



SECTION IS J INTERNET KEY EXCHANGE (IKE) 



37 3 



^utl 1K.27 Aggrg.wivti made, digittst sigRutarir method 




Fjbzr\-pl£ci with SKEYlDje 

. I (Sig-k): lnBEiEiLvr^ {reSpOftdtr'sJ slgnacme N-S (N-R); Initiator^ ( e espondcr "a) mm* 

t CJciHMal header iiidudiiu> C oakis* KE-E ( KE-R); Itfliliator 's (respevndcr's) tial F-tay 

CerV^cit-R); bittkusr's {responds 'i) certificate tD-L (tD-R): Initiator'^ (resp<w*dtr , R> ID 

hiilfrta)- " Rcspondcr 

Di^EE ftl signature key | 




Phase II: Quick Mode 

After SAs have been created in efther ihe main mode- or the aggressive mode, phase II 
can I :f ^uW. There is only inn- LiK^d^^fiiLCii for pha.se 1] so hir, Oh* tfUick mode. This 
mode is under the supervision of the Igfc SAs created by phase! However, each quick- 
mode method can follow nn.y main or Aggressive mode. 

The quick mode uses 1KB ^ As to crt^ IPSec S As (or S As for any odier protocol}. 
Figure IB. 28 shows the messages e.u;harig0difring the quick mode. 

^ 

Fi.fiu re Qud-cJc mtJcte 



v6 



KF.-I (KE-R ): [mliatw "a (raSpOiitlCf F S* Italf-fccy HDRTp^nenil hca^ct including cookies 
\- [ (N-R)z Snitialor's frtsportdtf'*) nqnee jj| ErtciyplMl w 3 [h S K F.YTH _c 

[D-H1D-KV Initiators lreSpfWftdcr r i) ID SA: Security KtiOcKciMi 

o 



Respond cr 









~T — 




























■jR, 

1 - 










- • 




rtE" 












A* 





















9 



0 









. — , *. 


1 '• 




EN 





PTES 1 S SECUHJ^ A 7 THU NETWORK LA YEH: iPSEC 

In phase Qj^her party can be the initiator. That is, the initiator of phase U can be 
the initiator of phase I Dr the responds r of phase I. 

The initiator sends the first message, which includes the keyed-HMAC HA SHI 
(explained laier), thHjjtfre SA created in phase I, anew nonce (N-I>, an optional new 
Ditlie-Hellman half-kaH.KE-1), and (he optional IDs of both parties. The second mes- 
sage is simitar, but carri^ha keycd-HMAC HASH2, the respondcr nonce (N-R), and, 
if present, the DifHe- Helton half-key created by the rcsponder. The third message 
contains only the keyed-HM^.HASH3. 

"Hie messages arc authenu/oted using three keyed -HMACs: HASH I, and 
HASH3, These are calculated aVpajlows: 




I i ASHa--pr/CSKE V^sL Msg"! 1 3 1 . 

•. .... «r- .«? • mm r^^jSTO^ TMM la a Kgs 





4i 



Each HMAC includes the message ID {™ used in the header of ISAKjMP 
headers. Thh a! lows multiplexing in phase IT. Th&ttlurion of MagID prevent simul- 
taneous creations of phase II from bumping iiuo cacQwher, 

A}] three messages; are encrypted for conf dentiality using the SKEYlD_e created 
during phase I Y< 

Perfect Forward Security (fl-S) Q 

After establishing an 1KB SA and calculating 5KEYID_d injjjase I, a l| keys for Hie 
quick mode are derived from SKEYlD_d. Since multiple phaseJJffcSffl be derived from 
a single phase I, phase II security is at risk if the intruder has access*lp SKEYTD_d To 
prevent this from happening, IKE allows Perfect Forward SecTfc4ly (PFS) as an 
option. In this option, an additional DiffiVHcllman half-key is e&Laged and the 
resulting shared key is used in the calculation of key material (see £e nexl section) 
for IPSec, PFS is effective if the Diffie-Hellman key is immediately defeted after the 
calculation of the key material for each quick mode. 

Key Materials Q\ 

After the exchanges in phase 11, an SA for IPSec is created including the key material, 
K. thai: can be ysed in IPSec. The value is derived as: 






11" the length of K is too short for the particular cipher selected, a sequence of keys 
is created, each key is derived from the previous one, and the keys aie concatenated to 



SECTION IH. 5 immNIif KEY EXCHA NCE (IKE} 577 



CLLSC 



make a longer key. We show She case without PFS; we need to add ^ for the 
Vith PFS. - _ 

VJ >T&e key material crealed is unidirectional; each party creates different key material 
bee^jrfe theSPj used in each direafi^i is different, 



i 






■ — — 

llit kny material cttafcd after phase II is umdjirecti 



id inactions] ; th^re is one kev for each direction, 



6 



S A Algor i t h ms ^> * 

Before [caving this sccD"on^& us give the algorithms that are negotiated during [tie first 
e wo FKE exchanges, ^ 

Diffie^Hellrnan Groups 

The first negotiation involves dieQme-Heiirnan group used for exchanging half-keys. 
Five groups have been defined, as sfcojv^ in Table E 3,3, 

Table 18.3 Biffiz-Hellmwi gwups ^> 

- 



I 



Modular exponentiation ^upWhX ?6&-bit modulus 
McjdulareixjNHbcmiatioa group with^KK^-bil modulus 



Elliptic curve group witii % 155^bit ft^jll//r 



Elliptic cun'e group with a 135-bit field k&k 

Modular exponentiation group with a ltiKf^h^ moduli* 



H&sh Algorithms 

The hash algorithms that are used for authentication are sl<£)n in Table ISA 

Table 18.4 Htttk algorithms ^ 



- : : -Kt&«\- 




1 


MD5 


2 


SHA 


3 


Tiger 






5 


SHA2-3B4 | 


6 


SIIA2 -512 




PTER IS SECUmX A T THE NEIWORK LA YER: fPSEC 
Encryption Al^nihm^ 

The : encryption afgoAhin* that axe u»f for conlidentiaEity ;ms shown in Tabic 18 5 M 
of these arc non heJ ty^d in CB C mode:. 

fej^e 18.5 Knt:ryption. algorithms 
— . ' 



DxscrtpStvn 



DBS 



]]">!■ A 



Biowfch 




AES 



18.6 1SAKMP 

Thc ,SAKMP pn«™ol is designed to cany mesft^br the JKEexchang 
General Header 

The format of the general header is shown in Figure 1 8.2SyA 

_ o 7 



Figure 1 8,29 fSA KtiP geneM header 



Q 





F^change Type 



a£c'IEi 



□ Imtiator cookie. This 32-bit field defies the cookie nf the entity that initiates thc 
S A establishment, SA notification, or SA deletion. 

□ Jte S po«d E r cookie Phis 3 2-b« field defines the cookie of the responding entity 
The value of this fidd is 0 when the initiator sends the first message 

□ Next payload This 8-bit field define, the type of payW ,L L iramediatfly 
follow* the header, We discos the different types jj£ pylori ir. the next section ' 



K 



SECriON 18.6 iSAKMF 



579 



Major Tecsionn This 4-bit version defines the major vers at mi of ihc protocol; 
Currently, the value: oi Eh is lidd is 1. 

3) JWinor version* This 4-bit version defines the minor %'crsion of the protocol - 
yjgurTently, the value of this field \g 0. 

□ ^^hjpnRc type This 8-bit field defines die type of exchange that is being carried 
hf^mc ISAKMP packets. We have discussed the different exchange types in the 
prevj^s section. 

Mags.^Jiis is an B-bit field in which each bk defines an option for die exchange. 
So far o^kthe three least significant bits arc defined. The encryption bit. when set 
to i; spciWi-a^tbEil the rest of the pay load will be encrypted using the encryption 
key and theCajMrilhm defined by SA, The commi tmenl bit, when set to 1, specifies 
that eneryptTJ^rf material is not received before the establishment of the SA. The 
authetiticatioiitb^ when set to l h specifies that the rest of the payioad, though not 



□ 



u 



Message ID* This^^bat field is the unique message identity thai defines the pro- 
tocoJ state. This fieRJi^ised only during the second phase of" negotiation and is Set 
to 0 during die first pftaj^ 

Message length. Beoa^p^ifferent pay loads can be added to each packet, the 
length oF a message can fee different for each packet. This 32-bit field defines the 
length of the total niessage,^iX;luding the header and all pay loads. 



Pay loads ^ 

The pay loads are actually designed t^earry mes 
payloads, q 

Table 1 8 J> floods y Q 



;s. Table IS. 6 shows Lhe types of 

? 



Types 


Name 


Brief Description 


0 


None 


Used to sho^fm^end of the pay 3 Gads 


1 


SA 


i ■ <c- 1 fa r :■ i jut i i !..- pot j a ! ion 


2 


Proposal 


Contains information used during SA negotiation 




Transform 


Defines a security transform to create a secure channel 


4 


Key Kxefoange 


Carries flatt used for geCe^ring keys 




Identification 


Carries Use identification OTOfcjrii numcation peers 


6 


Certification 


Catties a public-key certif jchJcT 


7 


Certification Request 


Used to request a cerdficate from the other party 


| 5 


Hash 


Carries data generated fry a hash function 


9 


Signature 


Carries data generated by a signature function 


10 


Noikc 


Carrie^ TiinriiKii! v general cd daM as h rxin.Lc 


LL 


S un Heath m 


Carries enrof message ot status associated with an S A 


U 


Delete 


Carries one more SA that the sender has deleted 




Vt>tt[j(M 


Defines venilar-speca fixation extensions 



A PTER IS SECU&tir A T THE NE2WORK ZA YER: IPStC 



Each paylftad has a generic header acid some specific fields. The formal of the 
generic header if shnwn in Figure 1 8.30, 

- — ■ — ^ 

Figure 1 8 3Q GenerifMytoqd header 



t) 






31 








1 


teen «1 














... 1 



□ Next pay load. This S-bil fietc^enLiftcji [he type of the next payload. When there 
is no nexi payload, the value of t^field is 0. Note thai There is no type field for die 
current pay [o ad, The type of the ^mrent pay load is determined by the previous 
pay load or the genera] header (if the jj^yioad is die firel one). 

□ Pay load length, This 16-bit field demp^the length pf the total pay load {including 
die generic header) in bytes.. 



SA fiaytand 

The SA pay load is used io negotiate security parameters. However, these parameters 
are not included in the SA pay load; they are included^ two other pay loads (pmposal 
and transform) that we will discuss later. An SA payWd> followed by one or inure 
pmpgsal pay toads, and each proposal pay load is followed by one or more transform 
pay loads. The SA pay] oad just defines the domain of inte^ktaiion field fijyJ the situa- 
tion field. Figure 1831 shows die format of the SA payloau^X 



Figure IS Jl SA payload 





1ft 



DO] 



31 



SLtiiHlinn 
(variable lenglh) 



The fields in the generic header have been discussed. The descriptions of the other 
fields follow: 

□ Domain of interpretation (DOl). This is a 32-bit field. For phase 1, a value of 0 
for this field defines a generic S A; a value of 1 defines IPSec. 

' J Situation. This is a variable-Jengtb fieid thnt defines the situation under which the 
negotiation takes place. 



A. SUCTION 1 3.6 ISAKMP 5U 

X 

^^Propasal Payloaii 

% Tfte proposal payload initiates the mechanism of negotiation. Although by itself it does 
^propose any parameters, it doss define the protocol identification and the SPI. The 
paW[eiers for negotiation are sent in the bttiuifomi pay load dial follom Each proposal 
pa}*pad is followed by one or more transform pay loads thai give alternative -sets of 
parartefi^s. Figure 38,32 shows the format of the proposal pay load. 



Figure 



Proposal payload 







." ..... 


Phy!0].id 








Protocol ID ' 


s 


PI 5e7j= J No. of [rang 




VJ* SPI 

x\ (variable Length) 



,n..: 



'I he fields iii the genmc^ieader have been discussed. The descriptions of the other 
fields follow: 

J Proposal r. i'k: nidatoc [].:■! hi:;s :i suimhr; Uy. -'v.. n::.p.-.^j| y.i thai the respond* i c:in 
refer to iL Nn^ thai an SA p^oadcan include several proposal pay loads. If all of the 
proposals belong to- the same of protocols, ihc proposal number must be the same 
for each protocol in the scL Gth*^se n the, proposals musi have different numbers. 

Protocol ID. This 8 -bit field dciux^the protocol for the negotiation > hor example, 
IKE phasel = Q s ESP = l a AH = 2^e^ 

□ SPI size, This 8-bit field defines thMke of the SPI in bytes. 

Number of Transforms, This E-bflfr-fteld defines the number of transform pay- 
loads that will follow this proposal payRmdj 

PL This variable-length fieid is the acfuWjPl, Note that if die SPI does not fill 



□ 



7J 



□ 



the 32- bit space, no padding is added. O 



Transform Payload 

lite transform payload actually carries attributes of t|^SA negotiation. Figure 18.33 
shows (he format of the transform payload. r\ 

The fields in the generic header have been discusseo^JP^ descriptions of the: other 
Isolds follow: 

Q Transform 'fliis B-bil Held defines the transform number. If there is more than 
one Transform pay toad in a proposal, payload H then each must have its own number. 

□ Transform ID, This 8-bit field defines the ideniily of the payload. 

□ A I tributes. Eiaeh transform payload can carry several attributes. Bach attribute 
itself can have dime or two sub fields (see Figure 18,33). The attribute type subfield 
defines the type of attribute as defined in the DOI. 7~he attribute length subfield, if 
present, defines the length of the attribute value. The attribute value field lfi two 
bytes in the short form or of vari able-length in the long form. 



4. 

1A PTER (X SECU8BJ AT THE NETWORK U, YER: IPSEC 



tfri 



|.| tee*. 




Reserved 




SI 




Transit! 




Tranif Ofm TT> 


F 






/ ^> v (variable te?i.glh) 






- 



Anri^Lito 



J- 1 



Attribute Length 



AlUibtitc type 



A'Hf Hphc villus 

^ y -ht . 

Attflmttr <1oci£ form) 

z3 — 



.Ml! !l-::r.- valilU 



Ariribule {^p. form) 

— ^ 



Key- Exchange Faytoad • %. 

The fev exchange pttylo&d is used in ihose ex chains that need to send preliminary 
keys ihui are used for creating season keys. For e^^rnple, it ean be used to send a 
Diffie-Hdliiian half-kay. Figure 1R.34 shows Lhcjfopat of the key-exchange 
pay load. ^ , 

; fe- 




16 



KB 

(variable Length) 




The fields in the jieneric header have been d [sensed. The description of the KE 
field follows: 

I J KE, Th i S variable-length field carries the data t i«ded For treat i ng the session key, 



Identification Payfowi 

The identification puyfoad allows entities 10 send their identifications to each other. 
Figure IS. 35 shows the format of the identification pay load. 



SECTION 18.6 ISAKMf* 5*3 



Figure 18.35 Idetttiftcatton puykwd 




T(l? nritotifin data 
(vjiriiihli: Li:ri;>ih) 



•o 



The Ik Ids Wphe generic header have been discuss^A The descriptions ol the other 
fields follow: ^\ 

□ ID type. This ^Kit field h DOI specific and defines The type olTD being used. 

□ n> data. This 2^£f field is u sually set to 0. 

□ Identification datj^'he actual identity of each enlily is carried in this variable- 
length field r 

Certijiarfion Payktnd 

Anytime during the exchange, ait enjtty can send its certification (for public- encryption/ 
decryption keys- or signature key slCXl though die inclusion of ihe certification pay toad 
in an exchange is normally optional^: needs to be included if there is no secure direc- 
tory available to distribute the certific^. Figure 18 36 shows the format of the certifi- 
cation pay load. 

^ 

re ■ — 

Figure 1836 Gertificvtem payioad 




Kvm-ti til 



Certificate enGOdifig 




Ccnifitaitt 
{variab]& length) 



The fields in the generic header have been discussed- The descriptions of the other 
fields follow; 

□ Certificate encodi ng. Thi s B-bk field defines die encodi ng ( ty pe) of the certi ficate. 
Table 18.7 shows the types defined so far, 

□ Certificate data. This variable-length held carries the actual value of the certifi- 
cate. Note that the previous field implicitly defines the size of this field- 



4 

\ FTFR IS SECURm A T THE NETWORK LA YER: IPSEC 

Tjjblc 18.7 Certification typm 



is 



'Type 



None 



Pwjapped X.5Q9 Certificate 



*j5p Certificate 



Signed Key 
X.S^Certificale — Signature 



X r SO^p^rtificacp — Key Exchange 
Kerbero^ekens 



Cfcrtificaric^cvrxrutiQii List 



9 



10 



SPK! Certifies 



ion Lssl 



X,509 Certifies 



33 



Certificate Request Pay had 

Each entity can explicitly request a certificate frc^he other entity using ^certificate 
request payload. Figure shows the format of jjij^ayload. 

Figure 1837 Certification request payk+ad 



16 



Cd^rieileEype 



Certificate authority 
(variable tefigih} 




a 

The fields in the generic header have been discussed- The description^! Hie other 
fields follow: 

□ Certs h cute type. This 8-bit field defines the type of certi ficate as prev toir% defined 
in the- certificate payload, 

□ Certificate authority, This is a variable-length field that defines the authority for 
the type of certifieate issued, 



Hash Payload 

The fgtsh payload contains data gencraied by the hash function a* described in the. IKE 
exchanges, The hash data guarantee the integrity of the message or pail of the I5AKMP 
states. Figure 18.38 shows the format of the hash pnyEoad. 



SECTION ISA KM P 585 



# Figu re 1 8 J 8 Hash pvytexd 





Reword 




1 




Hash Juta 
(variable length) 





TP 



The neid^Jn the generic header have been discussed. Use description of the last 
field follows; 

Lt Hash data. ^Ffijs variable- length field carries the hash data^ gcneraLed by applying 
the hash hincfi^to the message or part of the ISAKMP states. 

Signature Fay load ^ 

The signature, pay toad}tfx]Xjut\& data generated by applying the digital signature prr>a> 
dure over some part of the<|nksage or ISAKMP state. Figure 18.39 shows die format l>1' 
the signature pay load. Cy 

6 . 

Figure 1839 Signature paylaadty 



3] 

PI 




SsEpSBijre dais 
(vnnWt IcnisLhl 



^ 

The fields m the generic header have bSmJiscussed. The description of the last 
field follows: Q 

□ Signature, Tlus variable-length field carries t^Iigest rebuking from apply tug the 
signature over part of the message m ISAKMP sjaie. 

O 



Nonce Fayload 



O 



The nonce payload eonusins random data used as a nonce tq^jsure liveliness of the mes- 
sage and to prevent a replay attack, Figure 18.40 shows the fwoiEit of the nonce pay load. 



Figure 18.40 Ntmce paylaad 

















Nonce 
(variable length) 







M PT£R 1 ft SEC®tf}tfY A T WE NElWORK L4 YER: IFSEC 



it- fi etd^fri 



The fitikirrn the generic header ha-ve been discussed ^ The description of the last 
I ield follows: • 

□ Nonce. ThSl^^artable-kngtli field ijarryinE the value of the nonce. 
Notification PayhanX^) 

During she negodatmn ft^fcess, sometimes a party needs to inform the. other party of the 
status or errors, 'the fwiifi^)on payioad is designed for these two purposes. Figure 18,41 
show* the format of the notrfhation payload 

^ — . 

Figure 18.41 Natiftnaium pay ing * 



0 




—r 



— i 



my 



l^'^I'l'VLlt 



■'-K-w* 





Bp! 


Gin* 












ml 






HHl 



■1 



Nob 



lOii message: type 



(v;uiabtt 



(variable jeiiaU<^ 



ra^SThe descriptions of the other 




The held is in Ihe generic header have been 
fields follow: 

□ DOT. "This 32-biC fie Id is the same as thai defi ned for rhc>Sknrity Association pay load 

□ Protocol ID. Tli is 8- bit field is the same as thai defin^^r the proposal pavJoad. 

□ SPI size, This 8-bit field is the same as that defined ibr tk£Wposai payload. 

□ Notification message type. This 36 bit field specifies lJ5kJtatu.s or the type of 
enor that is to be reported Table \0 gives a brief descriptioQf these types. 

J SI' 1 J. Tins wuiableJen^th held is the same as that defined ft>r me^posal payJoad. 

□ Notification dnta. This variable-length field can carry extra textual information 
about the slatus or errors. The types of errors are listed in Table l&.&rfihe values 31 



to 819] are for future use and the values S 192 to 1 6333 are for private 



Table 18.8 Natificuihri types 





Descriptiun 




Description 


1 


IN VALID PAY LO A D-TYPE 


$ 


hN VALID-FLAGS 


2 


POl-NOT-SlJPr^RXED 


9 


INVALID-MESS AC i G-tD 


3 


S 1 TUA1 lON-NOT-SUPPQBXED 


It) 


INVALID^ROTOCOI-ID 




INVALID-COOKIE 


11 


INVALrD-SPI 


5 


INVALID-MAJOR- VERSION 


12 


IMVALID-TRANSFORM-ID 


6 


INVALID- MINOR- VERSION 


13 


A"1TR 1 n UTE-NOT-S UPPQRTED 


7 


] N VALID - EXC1 1 A NGB-TYPE 


14 


NO-PROPOSAL-CI ICS EN 



■ 



! si hie 1 S.8 Niitit&fiiiQn types i continued} 



SECTION 1&.6 fSAKMP 



Value 



l: 



22 



Description 



HA OPOSAL-S YNTAX 



PAYLO AD^M ALHORM E D 




VAI -[ [ ) -K t- Y- [N FORM AT ION 



ED-ID-INFORMATION 



I.TD -CERT-ENCODING 



INVALI 



T^lHi-' 



UNSUPPORTED 



RT-AUTHORUY 



23 



24 



25 



26 



IB 



2y 



30 



IN VAI AD-H ASH-] NFORMA HON 



AUTHENTIC ATI ON - FA 1 1 . 1 ■ 1 > 



IN VALID lOM ATUR E 



A h.S.SAv) i ; K Al ION 



NOTII-Y-SA-LIHiTIME 



CERTIFICATE- UN AVAIL AB LE 



UNSUPPORTED EXCHaW0S TTP6 



UNEQUAL-PAYLOA EM J ■ KG" INS 



'IkbEe IK. 9 is a status notifications. Values from 10385 to 24.175 ami 4('i%0 lu 
arc reservi^jrbr future use. Values from 32768 to 40059 are for private use. 

Table Ifitf} J&tatus u&iificuHvn valuer 





Description 




CONNECTED 


24576-32767 ^ (V) 


DOI-speciftc codes 



Delete P{iy!ocd 



o 

The delete payload is used by an entity tl>al has deleted one or tnorc SAs and needs lo 
infoi lii the peer that these SAs are nofenger supported. Figure 



of the delete pay load, 



Fi gure 18.42 Delete payfoad 



1 8.42 shows the format 



H 




J6 
I* 



DOT 
(variable Length) 



4.; 




I*T"tncof ID 








SPEs 
(Variable Length) 





The fields In die generic header have been discussed. The descriptions of the other 
fields follow: 

□ DO I- This. 3'2-bii field is ihe same as dial defined for the Security Association pay load. 

□ Protocol ID. This 3-bit field is Lhc same- as that defined for the proposal payload. 

□ &FI siz*. This S-bit field is the same as that defined for ihe proposal payload, 

I J Number ofSPIs. This ] field defines the number of SPk One delete pay toad 
can report the deletion of several SAs, 

□ SFIh. This variable-length field defines the SPIs of die deleted SA,'>. 



PTER 18 SECUR?ljfal THE NETWORK LA YER- fPSEC 



yloaa 



Vendnr Pay 

IS AKMP allows mc*ir>phange of information particular Id a specific vendor. Figure l£L43 
shows the format of ih&dendor payioa d. 




re 18.43 Vendor 



■ " : 71 

N:-Jl< ■ ' 



05 



16 



31 



Vendor IH 



V , .. .. 

z^F 1 — 




The fields in the generic header ha<^eSieen discussed. The description of the last 
field follows: 

i J Vendor 11). This variable^ ngih field dtfhWs the constant used by the vendor. 



18.7 RECOMMENDED READ^G 

"Lite following books and websites give more detail* ataut subjects discussed in rtiis 
chapter. The items enclosed in brackets refer to the rcfentfnSc Eist at the end of die book. 

P 
O 

[DH03J, [FraOl]. LKPS02], I Ream |, [SMK], and [Rhe031 ciigjss IPSec thoroughly. 
Fhe following websites give more information about topics discuss^d^Ji this, chapter. 



Hooks 



http://ww w. i«[ r.n >iT£/ri'tMc240 1 ,txt 
htEp://www.uiiixwi7.netAcchlIp^ 
htLp://rfc.netfrfc241 1 .lmry" 



o 



18.8 KEY TERMS 

aggressive mode 

Authentication Header (AH) Protocol 

clogging attack 

cookie 

Encapsulating Security Payload (ESP) 
Interne'. Key Exchange (IK_L"i 



Internet Security Association and Key 

Management Protocol (ISA KM P) 
IP Security (IPSce) 
main mode 
Oakley 

Perfect Forward Security (VPS) 



Notificalum types (crtntmu&l) 



PAYLQAB- M A LFORMED 




SECTION 1X6 fSAKMP 5K7 



Description 



HA D-PROPOS A L-S Y KTAX 



AL1 1 }- KEY-INFORMATION 



A LID- [D-TN FORMATION 



CBJ3T-KNCODING 
CERTIFICATE 



^-UNSUPPORTED 



RT-AUTHORITY 



Value 



23 



Description 



IN VA LID- HAS J- 1 - [ N FORMATION 



24 J AUT1 1 HN 1 ■ I C AT] ON FA 3 J A:. I } 



26 



^7 



25 



29 



_ 



LNVA LID-SIGN ATURli 



ADDRESS- N OT I FIC ATION 



NOTIFY-^ A -UFLHME 



CERTIFIC ATR-UNAV A ILAB LE 



UNSUPPORTED EXCH ANG E -"ITPE 



UKEQUAI ,-PAYLOAD-LEN( 1THS 



Table L8.9 is a^tf status notifications. Values from 16385 to 24575 and 409fiti in 
55^35 are resent for future use. Values from 32768 to 40959 are for private use. 

Table lS^MidF^ ivQiificalivn values 





Description 




CONNECTED 


24576-32767 ^) 


DOI-spcclfi c codes 



Delete Pavload 



'-6 

The delete paytoad is nscd by an entity Jjtet has dieted one or more S As and needs to 
inform the peer that these KAs are nofenger supported. Figure 18.42 shows the formal 
of the delet e pay load . O 

& 



Figure \$A2 Dekie {taylawl 








n 




Reserved 








TX)I ^ 

{variable lcn£(Js) 


• 




Protocol ID 










{variable Jcjigih) 1 


q, 

— ^ — 





The field* in the generic header have been discussed. The descriptions of the other 
fields follow; 



□ 
□ 

□ 
□ 



DQl. This 32-bit field ls the warne as that defined for the Security Association pay load, 

Protocol IB. This 8-bit field is the same as that defined tor the proposaJ payload. 

SPI si/£. This. 8- bit field is die same as thai defined lor the proposal payload. 

Number of SPIs. This l&hit field defines the number of SPls. One delete payload 
can report the deletion of seven* I S As. 

SPIs. This variable- length field defines the SPTs of th^ dueled SAs. 



PTER IS SF.CU 




Vem(o 



ISAKMP allows t^fcxebange 0f infonmation particular to a specific vendor. Figure 18,43 
shows the formal ol T^^fmdor payload. 

4 



Figure 1 843 Vendor p nyj^i 



r w i-jy;..:!.: 




16 



31 



V* # Vendor ID 





"l ■ _ 
















V 























The fields in the generic header ha^c^been discussed. The description of die last 
field follows;: 

□ Vendor ID, This van able- Jengih field d^lmes the constant used by the vendor 

<>. 




18.7 RECOMMENDED READ^sG 

The following books and websites give more detail* about subjects discussed in this 
chapter. The items enclosed In brackets refer to the refei^Ju^e list at die end of the book. 

Books 

|DH(B|, | PraOM. [Rcs01] t [StaOoJ, and [Rbe03]; dlgjgs LPSec thoroughly, 

WebSites 

The follow ing websites give more information about topics discussion this chapter. 

help ;// ww W-ietf.org/rfc/rfc240 1 , tat ^ 
h Li p ;//www.uni^wiz L nel^bclitips/igyklc-ipscc .htmJ 
hup ://rfc. HctMG24i 1 .html 




■ 



o 

- £ 



18.8 KEY TERMS 

aggressive mode 

Authentication Header (AH) Protocol 

slogging attack 

cookie 

Encapsulating Security Pay load (ESP) 
Internet Key Exchange [IKE) 



internet Security Association and Key 

Management Protocol (TSAKMP) 
IP Security (IFSec) 
main mo<ie 
Oakley 

Perfect forward Security (PFS :- 



SECTION PRACTICE SET 5&) 



rep] ay attack Security Policy Database (SPD) 

^yjcurity Association Database- (SAD) SKEME 

ite^ri ty Association (S A) transport mode 

Scc^y Policy (SP) tunnel mode 




18.< 

□ IP SecfiJiJy (IPSdc) is a collection of protocol?; designed by the TETF (Internet 
Engineer^ ^ask Force) to provide security for a packet at the network level 

□ LPSec opeft^; in transport or tunnel mode. In transport mcde H IPScc protects 
information dettvered from the transport layEr to the network layer, but does nof 
protect the IP nearer. In tunnel mode, fPSee protects Ute whole IP packet, including 
the original IP hsades. 

'-1 IPScc defines two^i^jocols: Authentication Header (AH) Protocol and Encapsu- 
lating Security Payfoad (ESP) Protocol to provide auLhcnij cation and encryption 
or both for packets ^£#ie IP level. The Authentication Header (AH) Protocol 
auihenticatcs the souice^fiSst and ensures the integrity of the payload carried by the 
IP packet. Encapsulating -fflciirky Payload (ESP} presides source authentication, 
integrity, and privacy. ESFiidds a header and trailer. 

□ IPSec indirectly provided acux£ control using a Security Association Database 
(SAD). . > 

□ In iPSec, Security Policy fSP) oeftues what type of security must be apphed to a 
packet at the sender or at the recei IPScc uses a set ofSPs called Security Policy 
Database (SPD). V £X 

□ The Internet Key Exchange (IKE) i^jiie protocol designed to ereaie Security 
Associations, both inbound arid micbirtfutd. IKE creates ,SAs for IPSet;. IKI£ is 



a complex protocol based on three oU/c* protocols: Oakley, SKEME T and 
1SAKMP, 

□ IKE is designed j n rw 0 phases; phase I and phase 0. Phase I creates SAs for phase Ji; 
phase II creates S A,s lor a data exchange protocol such as IPScc. 

□ ^ ISAKMP ^ iS ^ i «, £fr f „ IKE 



18 JO PRACTICE SET 

Review Questions 

1 . Distinguish between two modes of IPS do. 

2. Define AH and Lhc security services it provides. 

3. Define ESP and the security services it provides. 

4. Define Security Association (S A) and explain its purpose. 
5 r Define SAD and explain its relation to Security Association. 



ER 1 8 SECURriYj^FTIfE NElWOR K ^YER: fPSEC 

6. Define Securis^Policy and explain its purpose with elation to IPSee, 

7. Define IKE and e*p4ain why it jjg needed in IPSee, 
8 ■ 1 . 1st phases of IKE^p^he goal of each phase. 

9, Define 1SAKMP and^spladon tu IKE, 

10, List ISAKMP payload^p*^ nnd the purpose of eacli type. 

Exercises 

11, A host receive* an aedicntieai^oaekeL with the sequence number 183. The replay 
window spans fmm 2GG to 263>mat will [he host do with The packet? What h [he 
wi ndow span after tb i s even E? \ ' 

12, A husi receives an authenticated p^&i w^h the sequence number 208. The replay 
window spans from 200 to 263. WfaaVfrlJ the host do with the packet? What is the 
window span after this event? ^ 

33. A host receives an authenticated packet v<im*the sequence number 331. The replay 
window spans from 200 to 263. What wOl ffi^it do with the packet'? What is the 
wi iiduw span after rh is event? ^ > 

[4. The diagram for calculation of SKEYID for th<^J;shared-key method is shown in 
Figure 18.44. N r ole that the key to the prf fujicdofhin^iis case is a prepared key. 



f igure 18.44 Exercise N 




a, Draw a similar diagram of SKEYID fur the public-key method. 



O 



b. Dra w a simi I ar di agram o f SKEY I D for the d igital si gn alu rc method . 

15. Draw a diagram similar to Figure 18.44 for the following; the kev in each case is 
SKEYID. 

a. SKEYlD_a 

b. SKRYTD_d 

c. SKEYID_e 

16, Draw a diagram similar to Figure |g.44 for the following, the key in each case is 
SKEYID, 

a. IIAKH-f 

b. HASn-R 



V SECTION I H-W PRACTICE SET 591 

\ 

]7. Draw a diagram similar to Figure 18,44 for the following; the key in each case is 
KEY ID d: 



4 




IS, Draw i^jagram similar to Figure 18,44 for Hie following; the key in each ease is 
SKEY1 




a. K for incase without PFS 

b. K for me^fr-c with PKS 

19. Repeat Exercis^? for the case in which the length of K is loo short. 

20. Draw a diagrajTjf^d show actual 1SAK.MP packets that are exchanged between 
an initiator and a i^ponder using the pres. harsd- key method in the main mode 
(see Figure l&.20)M.Jsc>at least two proposal packets with at !casl two transform 
packets for each proposal. 

2L Repeat l-XTerci&e 20 usWpthc original pubfic-key method in the amiri mode (see 
Figure 18.21). 

22. Repeat H-xcrcise 20 using ihe revised pubiic' key method m the main mode (see 
Figure 1H.22J. (^) 

23. Repeal Exercise 2fl using ihcr^dig^al signature method in the main mode (see 
Figure 18.23), \J 

24. Repeat E*crcjse 20 in me aggress ivh^uxfci (sec Figure 1E.24). 

25. Repeat Exercise 21 in the aggressive rl2)te (see Figure 18.25). 

26. Repeat Exercise 22 in the aggressive rt^&telfsee Figure 1 8.26). 

27. Repeat Exetcise 23 in the aggressive mode^^s Figure 1 8,27). 



2K, Draw a diagram and show the actual ISAKlvtP^ackets EhaL are exchanged between 
an initiator and a responder in tike quick mode fsidt^Figure \ 8.2S), 

29. Compare the preshared-key methods in the maiiKrnodc and aggressive modes. "How 
much compromise is made in the aggressive modctwith respect to security"? What is 
tile gain with respect to efficiency? C\ 

30. Compare the general public- key methods in the maio(aj)d aggressive modes. How 
much compromise is made in the aggressive mode wimraJpeet to security ? What is 
the gain with respect to efficiency? 

3 L. Compare the revised public-key methods in the main and aggressive modes.. How 
much compromise is made in the aggressive mode with respect to security? What la 
the gain with respect to efficiency? 

32. Compare the digital signature method in the main and aggressive modes. How much 
compromise 15 made in aggressive mode with respect lo security? What is the gain 
with respect to efficiency? 

33, hi tile main and aggressive mode, we assume that an intruder cannot calculate the 
SKEY1IX Give She reasooing behind this assumption. 



4 

FEES /a J£r£/fl/^j, r me wnroff m rae : 

34. In IKE phase J, the identify is usually defined as the TP address. In the preshared key 
method, the pressed key h also a function of ihe rp address. Show how this may 



create a vicious 

35. Compare methodOhr the my in mode and show which method exchanges pro- 
tected IPs. 

36, Repeal Exercise '36 foi^Kressive methods. 

37. Show how IKE reacts toNfi*j«play attack in the main mode, That is, show how IKE 
responds to an attacker thffiJtfta' to replay one or more messages in the main mode. 

38, Show how 1KB reacts to iheQlro attack in (he aggressive mode. Thai is, show bgw 
IKE responds to an attacker tHqrtrics to replay one or more messages in the aggres- 
sive mode, v^) 

39, Show how IKE reacts to the rcplayr^ifcick in tiie quick mode. That is, show how IKE 
responds to an attacker (bat tries to rc^% one or more uiEssages in the quick mods. 

40. Show how IPSee reacts to a bmle-force attack. That is, can an intruder do am exhaus- 



tive computer search to find the efflcryptboHpv for IPSec^ 



o 



o 



V' 

The American L§£aWard Ctxte for Information Interchange (ASCII) is a 7 -bit 
thai: was designed tgVovide codes for 128 symbols, as sbowit in Tabic A J. 

TiibleAl ASCII CvScsk* 




1 





idards and 
drd Organizations 




Standards are^&ential in creating and maintaining an open and competitive market fur 
equipment mamraourcrs and in guaranteeing national and intematEona! interoperability of 
technology. Standi^^pmvidc guidelines to manufacturers, vendors. gu-vernmeEii agencies, 
and other service pra^rlers In ensure die kind of interconnect iviry necessaty in today's 



marketplace and in mt^rKitional communications. 



tei 



R.l INTERNET^TANDARDS 

An Internet standard is a tls<vouehly tested specification that is useful to and adhered 
lo by [host who work with the in^ryet. it is a formalized regulation that must be followed, 
There is a strict procedure by wmdpa specification attains Internet standard status. A 
specification begins as an IrHemeMcaft. An internet draft is a working document (a 
work in progress) with no official srkttis and a six-month lifetime. Upon reeoinmenda- 
Tion from the Internet authorities, a dr^c^Xnay be published as a Request far Comment 
{RFC). Each RFC is edited, assigned Jjjkmbcr + and made available to all interested 
parties. RFCs go th rough maturity Jevcls^^are categorized according lo their require- 
ment level. ^ 

Maturity Levels 

An RFC, during its lifetime, falls into one of six wraturily levels: proposed standard, 
draft standard, Internet standard, historic, exr^riiMjaial, and informational, as shown 
i n Fi guru B , \ . 

Imposed Stottiiurd 

A proposed standard is a specification that is stable, well understood, and of sufficient 
interest lo die Internet community. At this level, die specification is usual Ey tested and 
implemented by several different groups. 



595 



'DtXti STAND. 




-UND STANDARD ORGANIZATIONS 



Figure fl + l Maturity levels of an RFC 




t at least two successful 
culties* a draft standard, 



Draft Standard ^ 
A proposed standard is elevated to draft standard statuf 

independent and interoperable implementations. Barring MMi . waiL ^ LJUaiu 

with modifications if specific problem* are encountered, Aj»y become an Interne? 
standard. \ 

O 

Internet Standard ' 

A draft standard reaches Internet standard states after demons rAs of successful 
implementation, 

Historic ^ 

' nic hjst0nc RFC * anE? significant from a historical perspective. They eitheFhave been 
superseded by later specifications or have never passed the necessary matunt^eEs to 
become an Internet standard. q 

IZxperifnEntal 

An RFC classified as experimental describes work related to an experimental situation 
that does not affect the operation of the Internet. Such an RFC should not be imple- 
mented in any functional Internet service. 



Infarmutiotwl 

An RFC classified as informational contains general, historical, or tutorial information 
related tb the IntemeL It is usually written by someone m a non-Internet organization 
such as a Vendor. 



SECTION B. J INTERNET STANDA RDS $ 91 



Requirement Levels 

f Cs are classified into five requirement levels: required, recommended, elective* 
fnkad use, and no L recommended, as shown in Figure B.2. 

-% ' 

Figu Requ ircment leveb of an RFC 



Required 




Rraiii mended 

1 



Elective 









LLrniLfid il-SC 




Ncrt 
rccoEiimencied 



Required X 

An RFC is labeled re^li^K it must be implemented by all Internet sty stems to achieve 
minimum conformance, 

An RFC labeled rerc™rt* .ruferf in unrequired for mini mum conformance; it i& recom- 
mended because of its usefulness .Tj 

Elective Q 

An RFC labeled elective is not required^ not recommended. However, a system can 
use it for its own benefit ^ 



[Jinked Use ^ 
An RFC labeled /i/nited use should be usedMbf in limited @ 
experimental RFCs fa)] under tilts category. 



tuations. Most of the 



.Vcj/ Recommended O 

An RFC labeled flfif recemwnenrfedis inappropriate fai@j2.era1 use. formally a historic 
(obsolete) RFC may fall under this category, 



RKCs can be found isl wwwJaqs.org/rfre 



Internet Administration 

The Internet, with its roots primarily in the research domain, has evolved and 
a broader user base with significant commercial activity. Various groups thai coordinate 
Internet issue* have guided this growth and development Figure B.3 shows the general 
organization of Internet administration. 



'iNDfX n S3ANffym$ A ND SfANDARD GHGAMIA TIONS 

5. 



4* 



Fi gu re B3 Internet admin iteration. 




Intent et Society (1S0C) ^\ 

yi^ lntm,Ce ? ° dCty (LSOC) ]S ar ^^matiOnd^nprDfit organisation formed 



ir. 



1992 to provide support for the Internet standards process. ISOC accomplishes this 
through maintaining and supporting oilier Internst adfr ' 



IETF, IRTF, and ICANN (see the following sections), isl 
oLhcr scholarly activities reiaiing to iht Jntemi*. 



jtrativc bodies such as IAB, 
tajso promotes research and 

O 

I n terttet Architecture Board (IAB) V CX 
The iDtemet Architecture Board (IAB) is the technical adviskAo I50C. The main 
purposes of the IAB are to yversee Lhc continuing development oftj^TCPiTP Protocol 
Suite and to serve in a technical advisory capacity to research mcrnh® of the Internet 
community. The IAB accomplishes this through its two primary comp^&ts the Inter- 
net Engineering T; ls k Force (IETF) and the Internet Research TaskSoree (I RTF') 
Another responsibility of the IAB is the editorial management of the RFtwIescribed 
earlier in this appendix. The IAB is also the external liaison hetween £?intcn»< 
ad mm is [ration and other standard orga nidations and forums. O 

Intermit Engineering Task Force (IETF) 

Tlte Interact (engineering Ta.sk Force (IETF) is a forum of working groups managed 
by the Internet Engineering Steering Group {ffiSG>, IETF is responsible for identify- 
ing operational problems and proposing solutions to these problems. IETF also devel- 
ops and reviews specifications intended as Internet standards. The working groups are 
collected into areas, and each area concentrates on a specific topic Currently nine 
areas have been defined: applications. Internet protocols, routing, operations, user ser- 
vices, network management, transport, Internet protocol next generation ftpnir) mid 
security. 



■ 



SECTION ft 2 OTHER STANDARD ORGANIZA TIONS ? y N 



internet Research Task Force (1RTF) 

The Internet Research Task Force (I RTF) is a funam of working groups managed by 
•r C\thc Internet Research Steering Group (IR5G). IRTF focuses on long-term, research topics 
y ^sSaied to Internet protocols^ applications, archrtseiure T and technology. 

f^berjiet Corporation for Assigned Names and Numbers (ICANN) 
lltipiilernct Corporation for Assigned Names and Numbers (ICANN), a private 
nonj^fu corporation managed by an intern ational board, is responsible fbr the nsau- 
ageme^J^>f Internet domain names and addresses, 

Networl^J^fortnatian ('enter (NIC) 

The Netw>^ Informal ion Center (NIC) is responsible for collecting and distributing 
in formati on xT^&ut TCP/OP protocols. 




Ii.2 01 H^R'STANDARD ORGANIZATIONS 

Several other Btandai^Trgajiizations that are mentioned in the text are briefly discussed 
here. O 

NIST ($) 

The National Institute of Standards and Technology (NIST) is part of the United 
States Commerce Departments^ ST issues standards in the fonn of Federal Informa 
tion Processing Standard (PIPS) J^l owing are the steps involved in the process: 
J ; NiST publishes the FTPS in tfif&deral Register {a govern mental publication) and 
NTST's website for public nM**d comment. The announcement also defines 
the deadline for accepting cornisii?rius (normally 90 days after announcement). 

2. After the deadline, an expert gmup4nAlf ST reviews the comments and makes any 
nccessury modifications.. 

3. The recommended HPS is sent, to Ihe Ojjtary of commerce for approval. 

4. The approval of the FIT'S is published in (hi Federal Register and NIST's website. 

iso O 

The International Organization Tor Slandardiz£t^ (ISO) is a multtnaiiona! body 
whose membership is drawn mainly from, the standafwjzreadoii committees of various 
governments throughout the world. The ISO is active in developing cooperation in die 
realms of scientific, technological, and economic activity. 



ITU*T 

Inter national Telecommunication Union— Telecommunication Standards Sector 

(TTU-T) is part of its International Tekcotnmunication Union (ITU). The sector is 
devoted to the research and establishment of standards for telecommunications in general 
and for phone and data systems in particular. 



'BIX 8 ZTANDAtyS AND STANDARD ORGANIZATIONS 

\ 

ANSI ^> 



^tforiAl Standards Institute (ANSI) is a completely private, nonprofit 
corporation not^filiafeito the US. federal government However, all ANSI activities 
are undertaken with th^lfare of the United States and its citizens being of primary 
lmportance, (\) 3 



IEEE Q 



The Institute of Electrical and^actronies Engineers (IEEE) is the largest profo, 
sjonal engineering society in the wtpi. International in scope, it aims to advance theory 
creativity, and product qua% in tfieJMds of electrical engineering, electronics and 
radio as well as in ail related branchW 1 engineering. As one of its goals, the IEEE 



oversees the development and adoption^ international standards for computing and 
communications. VJ* 

EIA y>* 

Aligned witi ANSI, the Electronic Industrie,, Ablution (EIA) is a nonprofit organiza- 
lion devoted to the promotion of electronics man ufonW concerns. Its activities include 
pubhc awareness education and Inbbying efforts in addition to standards development In 
the field of information technology, the EIA has made totfam contribution* bv devel- 
oping standards for data communication, 

o 




y£P/IP Protocol Suite 



The ne^drkHra model; used in She Internet Uxiay i& Lhc 'XV&rtomissiun i Maird\ PrulutiL 
lmtrrietmu4i^ Protocol (TCP/IP) or TCP/IP Protocol Suite. The suite is made of fii 
Savers — applibatior^ transport, networks data link and physical — as shown In Figure C \ 

V : 

HRure C.1 TCPfiR£mlacQl suite 



Si* 



AppUratiMi 



DNsM SMTP 



5: 



in r 



:MTL- 



jt:lm- r 



1't;j 


■ 




.il- - --J 








■ 

ll 


t ' 1 , . -1 . 












rcr 




UDP 


[ 



























!r.' _■ r ■ ■;■ T. 







d 1 









LCMP 


IGMP 




k ■-At*-' ' 



a 




AKP 


| FAR? ! 





the imdeflymg iiffj^rto 



TCP/IP Is a hierarchical protocol made up of interactive module^ each of whi 
provides a specific functionality. The term hierarchical means lhal each upper-la) 
protocol uses the services of erne or more lower-layer protocols. 



WXC TCP/IP P&&OCQL SUITE 

i 

CI LAYEK^N THE TCP/IP 

[n this section w*,briefl^seril» the functions of eaeh layer in tha TCP/IP protocol 
suite, r\\ 

Application Layer ^ 

Tac application Layer enables tr^sefp whether human or software, to access the net- 
work, "ft provides user interfaces an^Bopnort for services such as tile transfer, electronic 
mail, and remote logging. >r v# 

^ 

^ ' ' 

The application lavi:r is respoiistofafr>r providing service tn the user 



□ Domain Name System (DNS). DNS is ^jdltation program that gives services 
to other application programs. It finds the(ftfgical (nerwork-fayer) address when 
given the specific (appfi cation-layer) at] dress, < 

□ Simple Mnil Transfer Proloeul (SMTP). SM^tf is the protocol used for elec- 
tronic mail. Electronic mail is diseased in Chaptor46, 

I J File Transfer Protocol (FTP). FTP is the file tranVfer protocol in the Internet, ft is 
used to transfer large files from orto computer to aneffhe^ 

□ Hypertext Transfer Protocol (HTTP). HTTP is tftmtocol that is normally 
usert to access the World Wide Web (WM), "\ 

□ Simple Network Management Protocol (SNMP). SN*j£^ [lie official manage- 
ment protocol in the Internet, 

J Term i nal Network (TELNET). TELNET i s the remote fog- in icanon program 
A user can use TELNET to connect Ln a remote host and use the^a^abJe services, 

iVansport Layer ^\ 

The transport Layer is responsible ft?r process-to-proce^ delivery Of the entire mes- 
sage. A process is an application program running on the host, Q 

Or- 

I he transport layer hi responsible fur the delivery of a message from one pnwrcswp 

to another. 



Traditionally the transport layer was represented; in TCP/IP by two protocols: TCP and 
UDP, A new transport layer protocol, SCTR has been devised to answer the needs of 
some new applications. 

□ User alteram Protocol (UDP). UDP is the simpler of the two standard TCP/IP 
transport protocols. It is a process-to-process protocol that adds only port 
addresses, checksum error control, and length information to the data from the 
upper layer. 



X 



SECTION C. 1 1A YF.RS J.V THE TCP/IP 603 



□ Transmission Control Protocol (TCP), TCP provides full iransport layer 
services tu app lie alio us. TCP is a reliable stream transport protocol. The term 

'{jVi>"£ , £iffr r in Uiis context, means connection- oriented: a connection must be eslab- 
vi^lied beiween both undo, of a transmission before cither can transmit data. At the 
J ing end of each transmission, TCP divides n slrearn of data into smaller units 
lpcf segmejLts. Each, segment includes a sequence number for reordering after 
together with an acknowledgment number i'or the segments received. Kei^ 
lucntSOsTc carried across the Internet inside of IP datagrams. At the receiving cnd r 
TCP ct^ct5 each datagram as it comes in and reorders the transmission based on 
Sequencer^ robe rs. 

□ Stream Cc^Pr&l Traiisniissioa Protocol (SCTP). SCTP provides support for new 
applications as IP telephony, ft is a transport layer protocol that combines the 
good features Yff^DP and TCP 

Network Layer 

The network layer is r^sjj&nsible for the source- to-desti nation delivery of a packet, 
possibly across multiple pkysjcal networks (Sinks). The network layer ensures that each 
packet gets from its point o^jtfnin 10 its final destination. Some responsibilities of the 
network layer include logical rflarcssing and routing. 

Q 

Hie network layer is gespoimble for the delivery of individual 
packets from ihe.-wdtfct hast to the destination hosL 



□ Internet Protocol (IP)* IP is the (^lsmission mechanis-m used by lbe TCP/IP 
protocols. It is an unreliable and eonpctionless protocol — a best-effort delivery 
service. The term best-effort means itetTlt pro vi tics no error checking or srackhi^. 
IP assumes the unreliability of the uniWnving layers and does its best to get a 
transmission through to its destination, tsfiJLwith no guarantees. IF transports data 
in packets called dntugnunx* each of whid(5^ transported separately. Datagrams 
can travel along different routes and can arrive^t of sequence or be duplicated. IP 
does not keep frack *if the routes and has no facility for reordering datagrams once 
s hey arrive at their destination. The limited ftincti Quality of TP should nol be con- 
sidered a weakness, however, IP provides barc-fooocs transmission functions tluit 
free the user to add only those facilities nectssar£j)br a given application and 
thereby allows for maximum efficiency. 

Q Address Resolution Protocol (ARP). ARP is used to associate an IP address wiih 
the physical address. On a typical physical network, each device on the network is 
j dent! hod by □ physical or station address usually imprinted on the network inter- 
face card (NIC). ARP is used to find the physical address of the node when its 
Internet address is known. 

□ Reverse Address Resolution Protocol (RARP). RARP allows a host to discover 
its Internet address when it knows only its physical address. Il is used when a com- 
puter es cuuueetc^l to the network for the first time or when a diskless computer is 
booted. 



*END1X C TCP/iFJ&QTOCOL SUITE 

r ^* 

U kite met Control Message Protocol {ICMP). ICMP is a mechanism used by 
hosts and oth^rvinterTnediate devices to send notification of datagram problems 
back to [.tie scjm^ICMP sends query and error reporting messages. 

□ Internet {^ruup^lftatfagc Protocol (IGMP). 1GMP is used to facilitate the simul- 
taneous iransinlss a message to a group of recipients. 

Data Link Layer (^) _ 

The data link layer irausforln^he physical layer, a raw transmission facility, to a reli- 
able link, It makes the pbysifaplaycr appear error-free to the upper layer (network 
layer). Seme responsibilities of ^ tlata link layer i delude framing, physical address- 
ing, flow control, error control, an^-^cess control. 

4 

1 htf data link layer is responsible for Huffing frames from one hop (node) id the nest. 

\>- 

Physical Layer 

The physical layer coordinates the functions f^hired to carry a hit stream over a physi- 
cal medium. The physical layer is concerned wj^physical characteristics of interfaces 
and transmission, media! representation of bits, rkSEt rate L synchronization of bits, and 
physical topology. 



rementsjDf 



The physical layer is responsible for movements>f individual bit*, 

from one hop (node) to the rifat. 

: e- 



C.2 ADDRESSING 

Four diff'crcni levels of addressee are used in the Internet using u^p^PfTP protocols" 
specific addre,^ port address, logical nddresSj and physical address, as shown in 
Figure C 2, • 





Specific Address 

Communication at the application layer is done using specific addrcs,ses: T <^dresses 
belonging to specific application layer protocols. For example, one uses an e-mail 
address to send an e-mail. 

Port Address 

'today, computers are devices thai enn run muldple processes, at the same time, The end 
objective of Internet communication is a process communicating with another process 1 . 
For erfampie, computer A can communicate watti computer C using TELNET. At the 
same time, computer A communicates with computer B using File Transfer Protocol 
(FTP), For these processes to occur simultaneously, there musl be a method to label 



SECTION C.2 ADDRESSING m 



Figure C.2 Addresses in TCP/IP 



Application Layer 
V 1 171 "n sport L-^ycr 

CO 

V' 




Specific uddrustt 



sy#r 



Physic 




Underlying 
physical rieLwork.s 



Logical add/cs* 



Physical address [ 



•t5 



different processes. In otteKwcirds, Lhe processes need addresses. In TCP/IP arc hi Lec- 
ture, the label sis signed to spAJceBS. is called a port address, A port address in TCP/IP is 
I ft hi Li lung. (JO 

Logical Address 

Log ical addresses :sxe necessary forTim>ersal communication service* thaL are indepen- 
dent of underlying physical neLwon^A universal addressing system in which each 
host can be identified uniquely, regaidless of the underlying physical network, is 
needed. The logical addresses are de^jied for this purpose, A logical address. (IP 
address) in the Internet is currently a.32-bi<tj!ildfess that can uniquely define a host con- 
nected to the Internet. No two publicly ad^e^jed and visible hosts on Hie Interne t can 
have the same IP address. ^ 

Ph vsi eal Add ress x 

The physical address* also known as Lhe link address, is She address of a node ns 
defined by iLs physical network. It ii included in the iVamc used by the data link layer, It 
is the lowest-level address. The physical addresses havis-authority over Lhe physical net- 
work- The size and format of these addresses vary dependpte on Lhe network. 



Eltf^gntary Probability 

Probability theor^fiays a very important role m cryptography because an provides the 
best way to quanii Uncertainty, and the field of ■cryptography is full of uncertainty 
This appendix review^a^e concepts of probability theory rhm M needed to under 
si and some topics discu^toi in this book. 

D.1 INTRODUCTION 

We begin with definition^io^, and property 
Definitions *^ 

Random Exp crim ent ^> 

An experiment can be defined a* any process IhaL change an innuL to tin output, A 
random txperimeut is an experiment nrataJch the same input can result in two differ- 



ent outputs. Tn oilier words, the output craft! be uniquely defined from knowledge of 
the input For example, when we toss a faiiWm two limes, the input (the coin) is the 
same, but die output (heat Is or tails) can be d^c^nt, 

Outcomes 

Hach nuiprtt of a random experiment is called an outcome. For example r when a six- 
sided die Ls rolled, die possible outcomes are 1. 2 f 3,*k 5, and 6, 

O 

Sample Space ^ 

A sample space, S, is a set of all possible outcomes of rraodorit experiment. W licit a 
coin h tossed, the space has only two elements, S = f head^ils } . When a die is rolled, 
the sample space has six elements. S = { 1. 2, X 4, 5, G }. A Sample space i& sometimes 
referred to as a probability jipacc^ a random spate, or a universe. 

Whets | random experiment is performed, we are interested in a subset of Che sample 
space, nm necessarily a single outcome. For example, when a die is rolled we may be 



ISO" 




NDIX D ELEMKm%fiY PROBA BHJTY 



;ti?fE ft 2. & 



interested in gettfrfg a 2 k an even number, or a number less than 4. Bach of these possi- 
ble outcomes can*e thought of as an event An event, A ( is a subset of the sample 
space. The prsviodst^cAioned events can be defined a* follows 

a. Getting a 2 (simpl^putcome): A! = [2] 

b. Gettiiig an Even, mu^r. A 2 = { 2, 4, 6] 

c Getting a number lessytrwi 4: = ^ 1*2. 3] 

Probability Assignment^) 

The main idea in probability the^ is the idea of an event. But what is the probability 
of a given event? This) has been ikl&ted for centuries. Recently, mathematicians have 
come to an agreement that wc can «£gn probabilities to events using ihree methods: 



classical, statistical, and computations^ 



Chunicai Probability Assignm&nt 
J ii classical probability assigiune 



6 



_ _ sot, the^pro^ability of an event A. is a number inter- 

preted as P<A) = '&M where n is the total dumber of possible outcomes and is l&S 
number of possible outcomes related to evcniSfl^his definition Is useful only if each 



number of po 
outcome is equally probable 



Example D. I 

Wc toss :i fair coin, What is the probability tfiat the outcome 



Example B.2 

We roll n fair die> Vr'hat is the probabiUiy of gelling n 5? 



net^l be heads? 

x 

Solution C\ 

The total number of possible outcomes is 2 (heads # tails). ThWymbcr 0 f possible outcomes 
related to this event is 1 (only hewds). Therefore, we have F{head$^AiH>d^ - 

Solution , . 

Tli,- total number Wfmia. outcomes ii 6, S = U, 2, 3, 4, 5, 6}, The numlfcr ot possible out- 

Statistical Pru bability Assign meat 

In statistical probability assignment, an experiment is performed n Lintes under equal 
eoreJitions. if event A occurs m times when a is reasonably large, the probability of an 
event A is a number interpreted as P{A) = win. This definition is useful when the events 
arc not equally likely, 



Extintfiie U.3 

We toss a nonfair coin 10,000 times and get heads 2600 times and tails 7400 times. Tlieteforc, 
Pf heads) = 2(Mf 10,000 - 0-26 und ['(tails) = 7400/10,000 = 0.74. 



SECTION D J hVTRGDUCTIOtf 

% 

&*Campu talioTial Probability Assignment 
• in computational probability assign mcn^ an event is assigned a probability based 
$$\hp probabilities of other events, using the axioms and properties discussed in the 
nttfoeetion, 

Probnbilix^vioms cannot be proved, but the} 1 arc assumed when using probability theory. 
The tblkfft^^' three axioms are fundamental to probability theory. 

□ Axiom t^The probability of an event is a normative value; P(A) > 0. 

Axiom 2*\^ftc probability of the random space is i' P{S) " I. Lit other words, one 
of the po&siytKmtcomes will definitely occur. 

Q Axiom 3< [f A-f^-2' A 3h . . . are pairwise disjoint events, then 

P(A^A 2 or A 3 or .,.) = P(Aj) + F(A 2 ) i P(A 3 ) + ■■■ 

Events Aj. A-}, k$^&$ pairwise disjoint events if the occurrence of one does not 
change the probability^ the occurrence of the others. 

X> 

Properties 

Accepting the above axioms, a fSSl of properties ean be proven. Following are the mini 
mum properties required to unoer stand the related topics in this book (we leave the 
proofs to the books on probability^:^ 1 

3 The probability of an event is aWav^ between 0 and 1 : 0 < P(Aj < 1 , 

Q The probability of no '.:ui_cQme isM).^P{K) = i). In other words, if we roll a die, the 
probability that none of the numbekjhill show is 0 (impossible event). 

□ If A is the complement of A, then. Pfc^p*= 1 - P(A). For example, if the probability 
of getting a 2 in rolling a die is 1/6. thetr^babiluy of not getting a 2 is (I - 1/6). 

□ If A is a subset of B H then P(A) < I 3 (B).>f ! ^)L;xarhple T when we roll a die r P{2 or 3) 
is less than P(2 or 3 or 4), Q 

□ [f events A, E3, C> . . . arc independent, then ^\ 

P{ A and B and C and .. . .) = P(A) x # P(B) X PfC) x ; . 

O 

Conditional Probability Q 

The occurrence of an event A may convey some mformX^i about die occurrence of 
another evenL fci. 'lite conditional probability of an event U< given that event A has 
occurred, is shown as P{fJ I A). It can be proved thai 

F(BIA) = P(AandB)/P(A) 

Note that if A and B are independent eve tits, then P(B1 A) = P(B>. 

Example D.4 

A fair die has been rolled. If we are told that the outcome is on even number, what is the probabil- 
ity that it is 47 




ENDIX D FJ. F.kf&m-A R Y PRO HA BIUTY 

% 

Solution 

P(4 I even) - !*[4 aid &vcn)/P(even). Because there is only one way to get 4, and ihc number is 
also «K Pf4 «| ev^f>, W ™> = P(2or 4 or 6} = m -.Tiercibrc, 

- ^ C\> p t4 I event) = / f3/6> - 

Note ihEit ihe. conditional prdtjjjfciliiv of P(4 Jeven) i$ larger [ban P(4) 

V 

0 

D.2 RANDOM VARIABLES 

A variable can assume different VaWs. Variables whose values depend tin rhe out- 
comeji of a random experiment are dajjferi random variables 

Continuous Random Variables 

Tine random variables that can Take an uncountable mitnite number of values' are 
referred to as continuous random variable^We are not usually interested in ihis type 
of random variables in cryptography. s\ 

C 

Discrete Random Variables ^ 

Ira cryptography we are interested in random experi^nte v^ith a countable number of 
outcomes (such as rolling a die). The random variab^associated with this type of 
experiment are referred to as discrete random vajnableVAjSiscre tc random variable is 
a mapping from the set of countable outcomes to the set oVmai valued. For example, we 
can map the outcomes oi Hipping a coin (heads, tails 1 to mQ»t {0 1} 




Birthday proMqafi -were introduced In Chapter I L In this appendix, general solutions 
to lour -birthday j^klcrns are given u&irjg the probability discussed in Appendix D. Tbfe 
kill owing relations mathematics are used to simplify the \nludons 1 

1 * : - ^ J //Trtylor T £ scries when* is ™aU 



E.l FOURPROBLi^S 

We present gluttons to fourproblcit^iscussed in Chapter 1 1 

O 

First Problem 

We have a sample set of k values, in whi^eaeh maniple can take only one of the /V 
equally probable values. What is the niinimff{n)ijz£ of the sample set, such that, with 
probability P > 1/2, at least one of the Samples (TsYqual it) a predetermined value? 

lb solve the problem, we first tind the probacy p that at least one sample is equal 
to the predetermined value. We then set the probability to 1/2 to find the minimum size or 
the sample. • 

O 

Frubabiliiy 

We foilow lour steps td find the probability P: <s\ 

1 . J J is the probability that a selected sample is equaMo the predefined value, then 
P S £2 ss l^jH because the sample can equally likely be any of the N values. 

2. Tf Q sr3 is the probability that a selected sample is not equal to the predefined valuc^ 
then Qaa = 1 - P^p (1—1^ 

3. If each sample is independent (a fair assumption), and Q is the probability that no 
sample- is equal to the predefined value, then Q - Q 7{ .*- = { ] - ]/N) k , 



611 




END1XE BlRTIfDjjtf PROBLEMS 

A, l-'inaliy. if Pis the probability that at Jests t one sample is equal to the predetermined 
value, then P = 1 - Q or P - 1 - (1 - 1/M*. 

Sample Size y"j 

Now we find the minf^vyn size of the sample with P £ 1/2 to be k > lid * as shown 
be-low: 

P^ I -ft - j/jv/ J/2 -^r^ ]/N>^ 1/2 

1 1 - W)* filia -> f S 1 !2 Using- ths ppproain uie iitfi ]-x = af* w ith * - 1/N 

V) , 



t^st PraMem 

ProfcaWJ ity: P - t - (1 - 1 /A(^ Sample slz*: it ^ In 2 X /V 

— ■ ? 



Second Problem C\ 

The second problem is the same as the first accrat That the predefined value is one of 
the samples, Tft,i$ means that we gap use the re^Rol the second problem if we replace 
k with k - 1 hecgiiSjS after selecting one sample ft^gli the sample set only £ - 1 sample* 
^ left, Therefore, P = 1 - ( 1 - Uhf* 'and & £ ln2j= jV + 1 . 

4? 

Second Problem 

Probability? F = I - (1 - tfjV )*" ! Sample^; ft £ m 2 x jV + 1 



3> 

Third Problem \S^\ 

In the third problem, we need to lind the minimum size-, k r of mk^ample jset, such that, 
with, probability F > 1/z, at least two of the samples have the sam ties. r Ito solve the 
problem, we first find the corresponding probability P. "We then set dij^Fobabiiity to 1/2 
to find the minimum jn&a of the sample. 

o 

Probability v ^ 

We use a di lie rent strategy here: 
T . We assign probabilities to samples one at a time. Assume that P- is tlie j^ebability 
i hat the sample i has a same value as one of the previous samples and Q t is the 
probability that the sample i has a value different from ail previous samples. 

'jl Because there is no sample before the first sample, P L = 0 and Q L = I - 0 = h 

h. Because ihcre is one sample before the second sample and the first sample can 
have one of the N values. P 2 . = J W and - f 1 - \IN). 

c. Because there are. two samples before the third sam pie and each of the two 
samples can have one of the N values. P3 = 2J.N and Qj ='(1 - 2fi\') 

d. Continuing with the same logic, P- ={k- and Q k = $ -(k- \)IN). 



SI-.CTI ON F.J FOUR (113 



2. Assuming that alt samples are independent, the probability Q that 3 II samples have 
different values is 

O C ^ Q J xQ 2 y( h tt—xQt- 1 l/y) x(]-?JN)x--x(] - {k- 1VAT) 

(^Q | = (c" 1 w ) x (e - ™) x x fc^H ^) Usi Ftg Ihc appro*] mail bfl I - x m S wi th x = iW 
e ^CA - LX2^ Ufi - ffcg Nation 1 + 2 + - » + ft - 1) s jfafr - I X2 



Q Using Ehe appro ^imatioQ - ] ) ^ 

3ji Finalljvff P Is the probability that^at least two samples have the same values, then 
we havE^f^ 1 - Q or P ^ 1 - eT e ™. 

Sample Size 

Now we find the injfHfnutn size of [he sample with P > I /2 to be Jfc > f2' x ln2) l/2 x W l/2 or 
jt i . ] K x N as sbbw^ below: 

o 

0^ 1 - e"^ v > I U -> z* 2fm < ] n 
if^-'S J/2 > 2 4 firiNZ In 2 k Z <2X In x tf 1 * 

CO 

Probability ; P = I - ^ f %U Sample Size: it £ (2 X I n2) w X jV s * 

— ' — o 

Fourth Problem 

Tn the fourth problem, we have two samp^of equal ^ ft We need to find the mini- 
mom value of k, such that, with probability^] /2, at least one of the samples in the linsL 
set has the same value as a sample in the second set To solve the problem, we first find 
the corresponding probability P. We then set Ehrtvpbability to ]/2 to find the minimum 
size of ihe sample. C 

Probability ^\ 

We solve this using $ strategy similar tfl the one we us@for the first problem; 

1, According to the first problem, the probability maW^sarnples in the first set have 
values different from the value of the :] rst sample in theseeond set is Q A = (1 - 1/A0* 

2. The probability thnt all samples in the first set have values different from the first 
and second samples in the second set is Q 2 = f 1 - 1 fN)^ X { 1 - 1 fN) k . 

'% We can exieurt the logie to say that the probability that all samples in the first set 
have values different from any sample in ihe seeond set Is 

Q Jt = (I - l/fV^x CI s \JNf £ --- x (1 - im k Q* - 0. - im® 

1 

- UNf -*Qk= Using tht appfox in satiofl 3 - Jt * e r * with x = 1 M . 



APPENDIX E BIRJ&DA Y FRQB1£MS 

\ 

4. Finally, if P is the probability that al least one sample from ihc first set has the 
same valu^^one of the samples in the second $et h then P= I - Q k or P = 1 - jf*™£ 

Sampie Size y ^ 

Now we find the nrfi^iViTpTn common size of the samples as shown below: 



j ; : yv 



*1 



* Fou tin Fn>hl e rn 
FrohabHtty: F = I - tv^ v Sample size: k ^ (bi2) w X flp 



-^5 



K.2 SUMMARY y>' 

Table j£j gives the expressions for the probability (P) and the sample size (k) for each 
< j1 : 11 Lf f o y r p n )b I cms . C^> 





Probability 








- 

Vntae ofk with 


1 








-■ 

k * o.fiy x N 


2 


P * 1 - e^- 1 ^ 


k *ln[l/(l -P)]x; 








3 


P a 1 j-W 








4 


P = 1 - c"^ 


k = [In (1/(1 ~W)l ,/r xi^5 


fc = 0.83 X N m 



*6 



o 



o 



i 



Iriffiwmation Theory 

In this appendixes discuss several concepts from infhrmaiinn theory that art; related 
U) topics di^cusseSjn^tJiis book. 



El MEASURIi^fe INFORMATION 

How cati we measure the i (information in an event? How much iiiforrnation docs an 
event cany? Lei us answer the^questions through examples. 

Example HI *<J 

hnagine a person sitting in a room. Looki^j^^ut the window, she tan clearly sec thai the sun is shin- 
ing. If 3ft this moment she receives a call (advent) from a neighbor saying, "It U now daytime" 
does this message contain any information? Itioss not. She is already terltin that it is daytime. The 
message docs not remove any uncertainty mrajr^ind. 

Example E2 

Imagine a person has bougkt a Lonery lickcs. If a fn™* colts to teH hur nun she has won first 
prize, does this message (event) contain any mforinatifoi? It tHottf. The message contains a lot ol' 
information, because the probability ol' winning first prints very smalt. The receiver ol' the oi-es- 
sage is lota] [y surprised. _, 

The above two examples show that there is a relatioiishi^ftwecn the usefulness of an 
event and 1 lie expectation of the receiver. If the receivers surprised when the event 
happens , the message contains a lot of information; otherwise, it does not. In other 
words, the information content of a message is inversely rented to the probability of 
the occurrence of that message. If the event is very probable; it does not contain any 
information (Example F.l); if it is very improbable, it contains a lot of infon nation 
(Example F.2). 



(AS 



*£NDIX F INFOm^motf THEORY 

^ _^ 

E2 ENTRC^Y 

Assume lhal S is a ftfl^e probability sample space (See Appendix D). The entropy or 
uncertainty of S is den^ae^ as 

v^I(S) =f X P<s) x [log 2 l/Ffr)] bils 

where s e S is the passible ^tcome of the experimeitf. Note thai if ?{s) = 0, then wc lei 
I he- corresponding term, P(j) ^Jog^ 1/P(jr)L be 0 to avoid dividing by 0 

Vs 

Lxamph FJ >r 

Assume that we toss *i fair win. The (Monies art heads and (ails. each with a probability of 1 tl. 
This means 

_vS> 



'Eli in example shows that the resalt of flipping fair torn gives us 1 bit of information 
(uncertainty), In each flipping, wu don 1 ! know whahd^Auteomc will be; the two possibilities are 
equally likely. \ 

Example K4 

Assume that we lem at nonfair coin. The outcomes are headland mils, with Pfheads) = and 
P(tails) = 1/4. Thin means- ^ 




v9* 

fins example shows that the result of flipping a nonfair coin gnp^us only 0.S bit of infor- 
mation {uncertainty), The amount of iiifoniifltion here is less than rli^nJounL of information in 
Example R$ because we are exj>ect.i rig lo get heads rnosi of the time; vTeVaie surprised only when 
we gei [ails. Q 



Example K5 



Now assume that we toft a totally nonfair coin, in which the outcome is always hc^ds^Jiead.^ = 1 
and H(eaits) = 0. Tin: entropy in this case fa k K * 




There is no in formation (uncertainty) in this experiment, We know [hat [he outcome vwiU 
always be heads; the entropy is 0. 



Maximum Entropy 

U can be proven that for a particular probability sample space with n possible outcomes, 
maximum entropy can be achieved only if all the probabilities are the same (all out- 
comes are equally likely). In this ease, the max [mum entropy is 

H m(W (S) = los 2 n bits. 



SECTION F2 ENTROPY 617 

% 

other words,, the entropy of every probability sample space has an upper limit defined by 
• this formula. 

Extfifiph* K6 

Assd^^at wc rolE a ssx-SLded fair die. The entropy of the experiment is 

MinimunJ^ntropj 1 

It can be provSn^iai fur a particular probability sample: sjiaec with n possible out- 
come s r minimuK^enrropy is obtained when only one of Tbo outcomes occurs all the 
lime. In this case, <^mlnlnuim entropy is 

Hrf) = 0 bits 

In other words, the enlrop^of every probability sample space has a lower limit defined 
by the above formula. > 

% 

Tbe entropy of a probability sGJljpk space is between 0 bits and ti>^ it bits, where n is 

the number *rf possible outcomes. 

V 

[ n te r p relatio n of En t ni py 

Entropy can be thought of as the nurabOsf bits needed to reprtiscnt each outcome of a 
probability sample space when the oiitco^jjs are equally probabie. For example, when 
a probability sample space has eight possi^Jk outcomes, each outcome can be rcprc 
sensed as ihree bits (000 to III). When we ^&ve the result of the experiment we can 
say thus we have received 3- bits of information-^Ehc entropy of this probability sample 
space is also 3 bits (log^ 8 - 3). \" 

Joint Entropy i ^ 

When we have two probability sa fin pie spaces, Sj ai^SJS^ we caD dclinc the joint 
entropy H(S t . S 2 ) as 

00*%) = XZP (x t v> x I log, HP tr t y)] hits 



Conditional Entropy 

We often need to know the uncertainty in the probability sample space given the 
uncertainly in probability sample space This is referred to as conditional entropy 
J I(S l ! ^2). It can be proven that 

H(S 1 1 Sj) = IKS! p Sjp) - H(S 2 ) bits 



! 



£± SECTION K3 entropy OF A LANGUAGE 419 




king Ust relations obtained in Ruajnplc TYtt and the fact that ll[P r K}= ll[P) + H[K) because P 
■nnd K fire independent, wc have 



■ u 



H[P, K f £) H(C 1#KJ:+ IKP. K)^H(P, K) : = 





Example 

Shannon stowed mUhI in « cryptosy stem h if (1} the keys in the key sample space occur with equal 
probability and (2j*Tor each plaintext .and each ciphcrlcxL Lhcre is a unique key, then the cryptg- 
sy stem provides pti^ct secrecy, The proof uses the fact that, in this case, the key, plaintext, and 
esphertcxt probabilit^ayple spaces are of the same size. 

vft.. . 

F.3 ENTROPYPF A LANGUAGE 

IL is interesting to relate tiic^soVcept of eEitropy to natural languages, such as English. In 
this section, we highlight socrrfuoiiUs related to enlrcpy. 

Entropy of an Arbitrary L^guage 

Assume that a language uses N letters and that all the letters have equal likelihood of 
occurring. Wc can say That the entropy ^orahis language is H L — log 2 M For example, if we 



use ih<i [^cjity-six uppercase letters (A ta^Uo send our message, the entropy, or die infor- 
mation contained in each letter, is H L = 1^26 = 4.7 hits. In other words, receiving a letter 
in this language is equal to receiving 4.7 bil^Jhis means that we can encode the lelters in 
this language using 5 -bit words^ instead of sCE^Jjfcg a letter, we can send one 5-bit woii 

Entropy of the English Language 

The entropy gf the Hnglish language is much less (Mh 4.7 biss (if we use only uppercase 
letters), for two reasons.. First* the Setters are not equaWlikdy to occur. Chapter 3 shows 
the frequencies of letters occurring in the English language. The letter E is much more 
likely lo occur than the letter Z. Ktxund, the existence %i digrams, and trigrarns reduces 
the amount of information lis the received text, It" wc rocc(veVlhc Icticr Q s it is very likely 
ihat the next letter is U. Also, if we receive the Jive consec^Qye letters SELLI, it is very 
likely that The next two letters are NO. These two facts reduc^te entropy of the English 
language, as Shannon has cleverly calculated, to the average virtue of 1.50. 

Redundancy 

The redundancy of a language has been defined as 

R = 1 - H L /(lo£ 2 N) 

In the case of Ihe English language using only uppercase tetters R ~ 1 — 1 .50/4.7 = 0.6S. 
In oilier words, there is a 70 percent redundancy in an English message. A compression 
algorithm can compress an English text up to 70 percent without losing the contents. 



L 



PFEND1X F INt*%gMA T10N THEQR Y 

Unicity Dwtance 

Another definiaonby Shannon is Ihe unicity distance. The unicity distance is the mini- 
mum length of Adbjphcrtext, "o- required For Eve to uniquely determine the key (given 
enough time) tad equally calculates the plaintext. The unicity distance is defined as 

»o - H(KV[R x !I(PJ] 

Example F.U (V) 

Ttie subsLituiion cipher jsts ^ domain of 26! key!, and the alphabet of 26 characters Usins- 
thc redundancy nf 0.70 fot !Hl: fyt&s\\ language, ihiz unicity distance is 

This means that a ciphertest of at \&Mjp characters is needed for Eve to uniquely find 
the plaintext. 

Example Rl 2 x ^ 

shift cipher « key domain of 26 keys an <4, alphabet of 26 character U s j ng the rcdi 
:: * ,|lcv 1)1 ' : '" :h:: = £ j !.=-■ i i -s. S i language -he je^^M^ance is 

This means that a ciphert-xt &jf:# least 2 ch^c^^i^dtd for Eve tu uniquely find 
the plaintext, Of course, thE* is a very rough estimate. U^n actual situation, Eve need* 
more characters lu break the code, q 

O 



Inn- 



us$ of Irreducible and 





Recall Frt>rn Chsi^r 4 that an irreducible polynomial in GF(2 n ) is a polynomial with 
degree n thai ean^ij^be Factored into a polynomial wiih degree of less than n. Also 
recall from Chapter ^that a primitive polynomial ls an irreducible polynomial that 
divides l t w hurra is ihc leasa integer in [he form e = 2 k — I and A ^ 2^ This means 
thai a primitive poSynoCmaL is necessarily an irreducible polynomial but an irreducible 
polynomial is not necessarily a primitive polynomial. Table G. 1 shows ihe irreducible ;snd 
primitive polynomials for (JJsgrees I lo 8. Those in parentheses art: only invincible buL 
not primitive, 

TilhlO Q. 1 Imtducibia and jran/iStvr polynomial*. 




P&iwi&jB^Lite (in hexadecimal format} 



v 5 - 




1.3 { IP) 



29 37 ^ii 'iV 



4x 



M5j 49 57 , 513 6D 73 



B7 31 SB S A7 B9 BF Cl CB 

D4 E^> EF Fl F7 FD 



1113 12B 12D (139) (13FW14B ISP 163 1G5 



o 

171 (177) U-7E) 187 (18B) v Il9F) (1A3) 1*9 (lBl) 



1CF (1D7) (IDE) 1E7 ( 1F3 ) VJ^S UF9 ) 




To find the polynomial represented by the hexadecimal number in the table; first 
write the number in binary and then convert iL tu- the poly m>iniah 



621 



PPEtiDTX C US&)F IRREDUCIBLE AND PRIMITIVE POLYNOMIALS 
Bxatnph GJ*^ 

Find the first primitive polynomial of degree 7. 
Sdufbn \§\ 

The first^try for 7 is 83 in hexadecimal, which is both ao inedible and 



m , m h .M Sf. . " " J m ' w l,J ^" ^ m Jin ^ ir ™ u ci Die zind pn mi uve po8y- 

^2SZ3E ^ h T adH:imaJ is <° 1000 ' - ^ The ™™^T E 

v 

Example G.2 CD 

Find the fix* inducible polyn^at of degree (5. which is not a primitive polynomM 
Solution v^) 

Tie first honprinsiM v C polynomial optegree 6 is (45) in hexadecimal. Hie integer 45 in hexadeci- 

is equivalent to NX) 0101 in bhWoote that we must keen onlv 7 bits, T* e ' Z 7 
poly ttomial is a* + ] V p only 7 blts >' corresponding 

Example G.3 >^ 

Find the second irreducible polynomial of d^ 8, which k not a primitive polynomial. 
Solution (A 

The second nonprimitive polynomial of degree.*^ (139) in hexadecimal. The integer 139 in 

CD 



\5 



o 

s *o 
? o 



o 




es Less Than 10,000 

J tits appendix fi#s die primes less lhan 10,000. In each table, each number in thsi first 
column „ * nu *fe„ f ^ in fc ^^ns tange ,, r lh3t ,. im 

Table H.l ListofpHmefjn the rangi> t-1000 




. — _. ... 



23 5 7 1113 29 31 37 41 43 47 53 59 6 ] 67 7 1 73 79 S3 89 97 " 

101 ICS 107 109 lb 127 131 137 139 149 m 157 163 167 173 179 W 19] 193 197 399 

21 1 223 227 229 23M^24] 25 1 2^7 263 269 271 277 2*1 233 293 

307 3 1 13 13 3 ] 7 33 1 3*7.347 349 353 359 367 373 379 383 3&9 397 

401 4] 9 421 43 1 43M59 443 449 457 46| 463 467 479 4S7 491 499 

503 509 521 523 541 347 597 5^3 569 571 577 5^7 593 599 

601 607 612 617 6J9 631 64 \Qk 647 653 659661 G73 677 683 69] 

701 709 719 727 733 739 743 7^57 761 769 773 787 797 

809 81 1 m 823 827 329 S39 *t53©7 S59 $63 377 S8l 387 



907 91 1 919 929 937 941 947 953 9^71 977 933 991 997 



The tofeii num ber of primes in the range 1-^Jifr is 168. 

I able EL2 /jLyf of primes in the range WGI-2006Q 

1009 1013 10)9 102 L 1031 1033 1039 1049 10^fto6l 31)63 1069 I0S7 1091 1093 1097 

M03 3109 1117 1123 1129 1151 1153 1163 l!7j 3181 1137 1193 

120! 1213 1217 ]223 S229 1231 3 237 1249 1259 1279 E2S3 12G9 129 L 3297 

1301 1303 1307 1319 1321 132? 1361 1367 1373 U8t\1399 

L409 1423 ]427 1429 1433 1439 1447 145] 1453 14SS&71 1481 148^ L487 14«9 
E495 1499 <p 

ISU 1523 1531 1543 1549 1553 1559 1567 1571 1579 35S3 1597 
1601 LOJ7 E609 1613 1619 1621 1627 1637 1657 1663 3 667 1669 1693 1697 1699 
1709 1721 1723 1733 1741 1747 L7S3 1759 1777 17 S3 1787 17S9 
180] LS31 1&23 1331 1847 1863 LS67 1S71 1B73 1877 IK7^ ]8fc9 
1901 1907 (933 1931 1933 1949 1951 1973 1979 198? 1993 1997 1999 




The total number of primes in ihe range 1CM51— 2<>00 is 134, 



NDfX H PRIM 




THAN 



f?t'if?2g$ in fftt? ^flit^t 2.0GS — $000 



•14 



10 



. 10 

■15 



14 



2003 2QI? 2017 2027 2029 2039 2053 2063 2069 20&1 2Q&3 2037 2089 2090 



21 



03 2011 2(U" 
U 2113 2T3[ 



131 2137 2141 2143 2153 2161 2179 



15 ."I] 2203 22(}7 221^2221 2237 2239 2243 225 1 2267 2269 2273 2281 2287 2293 2297 
2309 23 11 23331^2341 2347 235! 2357 2371 2377 2351 2383 23892393 2399 
2411 24^7 2423 24*7^44 1 2447 2459 246? 247] 2477 
2503 2521 2531 253Wj43 2549 2551 25572579 2593 2593 
2609 2b 17 2621 2633 ^2657 2659 2663 267 1 2677 2683 268? 2689 2693 2699 
2 707 2761 2713 27 1 9 272073 1 274 [ 2749 2753 2767 2777 2789 2791 2797 
2&CU im 28 £9 2S33 2^37^43 285 [ 2857 2861 2879 2M7 2S97 
2909 2917 292? 2939 29^957 2963 2969 297 1 2999 



TJlL [ 



nt;il number ol' primes in J he rain jk&fl01 -3000 is 127. 

? 




Table H,4 List of prime* in the range 3QQ 1^40j^ 

L1 3001 301 1 30 f 9 3023 3037 3041 3049 30^067 3079 30^3 3039 
3109 3 ! [9 3E2I 31 37 3163 3167 3169 3lf!^7 1191 
3203 3209 3217 3221 3229 3251 3253 3257 3299 
3301 3307 3313 3319 3323 3329 3331 3343 33*7 3359 3361 3371 3373 3389 3391 
3407 34 H 343 3 3449 3457 3461 3463 3467 3469 34^ 
351 I 3517 3527 3529 3533 3539 3541 3547 3557 £559^71 35S1 3583 3593 
3607 1613 3617 3623 3631 3637 3643 3659 3671 36^M77 3691 3697 
I 3701 3704 37 E 9 3727 3733 3739 376 L 3767 3769 3779 3797 
3803 3821 3823 3833 3347 3551 3853 3863 3877 3881 
3907 391 1 3917 3919 3923 3929 3931 3943 3947 3967 39&*?J* 
The tolaS number ol primes in thf raiigE 3O01-4TO1 is 120. 



• . 14 : 




LESSEE* 

T| 4111 4127 4129 4 1 33 4 139 4153 4157 4 1 59 4177 




f.t.fi n/pritties in ih£ rangr. 4QQ}-5QfJQ 



\2 

fi. 



40(11 4003 4007 4013 40 J 9 4021 402?404y 4051 40V7 4073 4079 4W](tr!^ 4099 

o 



4201 421 1 421.7 4219 4229 4231 4241 4243 4253 4259 4261 4271 4273 42K3 4^*297 
4327 4337 4339 4349 4357 4363 4373 439 1 4397 
4409 442 1 4423 444 1 4447 445 1 4457 4463 44* 1 4433 4493 
4507 45 S 3 4517 45 1 9 4523 4547 4549 4561 4567 4533 4591 4597 
4^03 462] 463^ 4639 4643 4649 465 1 4657 4663 4673 4679 4691 
4703 472 J 4723 4729 4733 4751 4759 4783 47K7 4739 4793 4799 
4Sm 48J34fil7 4331 4361 4871 4877 48 89 

4903 4909 49 ! 9 4931 4933 4937 4943 495 1 4957 4967 4969 4973 49H7 4993 4999 



I'n-e total number oi' primes En ihv nmga jy(JI-5SHH> is 1 1.9. 



AFP5N01X H 



PRIMES LESS THAN f 0, 000 



Thble HS fM OfprirmlX rrt tiki nltige 5001-6000 





5003 50O9 501T 5021 3023 5039 5051 5059 5077 50B1 5087 SQSS 
Sm 5107 5] 13 51 S9 5147 5153 5167 5]7| 5179 5 1E9 5197 
5209 5227 5231 52:43 5237 5261 5273 5 279 52S1 5297 
Vx>303 5309 5323 5333 5347 535 1 538 \ 5387 5393 5399 
^407 54 1 3 54] 7 5419 543 1 5437 544 J 5443 5449 547 1 5477 5479 54B 
13tor5503 5507 5519 5521 5527 55 J 1 5557 5563 5569 5573 5581 5591 
5639 5641 5647 5651 565 3 5657 56595669 5683 56B9 5693 . 





570^7 1 1 57 17 5737 574 ( 5743 5749 5779 5783 5791 
5 SOI ^S&f 5813 5821 5S27 5&39 5M3 5849 585 15857 586 1 5667 5S79 5as ] 5897 
59035*^927 5939 5933 59gl 59ft7 



T3ic total nimibtrTtflVp rimes in tbc range sOQl— &GO0 is 114> 
Table H .7 Li ofpnm\^ ihc range 600 i -7(W 





J! 23] 

It 



13 

is- . 




6007 601 \ 6029 6C»*£043 6047 6053 6067 6073 6079 60&9 
610 L 61 L/i 6121 6]*L^33 6143 6151 6163 6173 6197 6199 
6203 621 1 6217 622lS^ 6247 6257 6263 6269 627 1 6277 6287 6299 
6301 63 ] 1 63 L 7 6323 6329 6337 6343 6353 6359 6361 6367 6373 6379 63Ei9 6397 
6421 6427 6449 645 1 646^6^3 648 f 6491 
6521 6529 6547 653! 6553 ft§63£569 657 I 6577 65 Si 6599 
6607 6619 6637 6653 6659 GCmi h673 6679 66S9 669 1 



670! 6703 6709 6719 6733 673^61 6763 6779 678 1 679 1 6793 



6K03 bm 6827 6829 6833 GU4 1 



6907 691 1 6917 6947 6949 6959 69 



6fl63 6B69 6871 6883 6*99 



67 697 1 6977 69S3 699 ! 6997 



The total number of primes in the range 6 




Table H..8 List of primes in ike range 70WJ-*fJtW 




Lrr 



0 



Hi 



001 7013 7019 7027 7039 7043 7057 7069 707^ 

103 7109 7V21 VI 27 7129 7151 7159 7177 7187 (fE)3 
7207 72 3 1 7213 72 19 7229 7237 7243 7247 7253 7 3^7297 
7307 im 7321 7351 7333 73-19 735 1 7369 7393 
7411 7417 7433 7451 7457 7459 7477 74 HI 7487 74 B9 7499 
7507 75 17 7523 7529 7537 754 1 7547 7549 7559 7561 7573 7577 75 -83 75S9 759 J 
7603 7607 7621 7639 7643 7 649 7669 767;i 76ft 1 7687 7691 7699 
7703 7717 7723 7727 7741 7753 77577759 7789 7793 
7S17 7823 7829 7841 7853 7*67 70S 7*77 7879 7S33 
7903 7907 7919 7927 7933 7937 19A9 1951 7963 7993 



The total number fif primes in the range 7O01-8AO0 Is 107. 



IVDIXH PRJME^SS THAN f 0,000 



I abl e H.9 LisUgfrimer in iIjs range 3QQI-9QGO 




3009 801 1,8017 S039 8053 8059 8069 8081 8087 5089 
5101 Sill aqjV EI23 8147 8161 8167 8171 3179 5191 
8209 8219 821^231 8233 8237 8243 8263 5269 5273 
5311 S3 17 8329^)3 8363 83698377 5387 5389 
5419 8423 8429 S4#f)8443 K447 3461 3467 
5501 351 3 852] N5?m37 85398543 5563 3573 3581 
K609 R623 8627 £629 Stitt 8647 5663 K669 8677 3631 
5707 8713 8719 8731 57^741 8747 3753 8761 8779 
3803 8807 8819 3321 583r1^7 8839 S£49 8861 8863 
392? 8929 8933 8941 5951 396*8969 897] 8999 



82S7 829 1 8293 8297 



8597 8599 
8689 8693 8699 
87*3 

8867 8887 3593 



The total e| m mber of primes in the 



[001-9000 h 1 I P, 



Table H. 10 I 'Jst of primes in th* nmge. 9Q01\$b*QQQ 

9001 9O07 901 1 90 13 9029 9041 9043 $4^9059 9067 
9103 9109 9127 9133 9137 9151 9157 91<£*I73 9131 
9203 92099221 9227 9239 9241 9257 9277^1 9283 
9311 9319 9323 9337 9341 9343 9349 9371 9^)9391 
9403 9413 9419 9421 943 1 9433 9437 9439 946^9463 
95 1 1 952 1 9533 9539 9547 955 1 95 87 vQ 
9601 9613 9619 9623 9629 9631 9643 96499661 96^7 
9719 9721 9733 9739 9743 9749 9767 9769 9781 978 
9803 98 II 9817 9829 9833 9539 9551 9357 9359 937 1 
9901 990? 9923 9929 9931 994 E 9949 9967 9973 



9091 

9187 9199 

9293 

9397 

9467 9473 9479 9491 9497 
»79 96*9 9697 



The total number of primes in the range 90fl 1-10,000 is 112. 



9g^9887 
— 



o 



o 




Factors of 
s Less Than 1000 

11 lis appendix provides aid in finding prime factors of integers less than I (XXI. Tables [.I 
arid 1,2 give the least arinie factors. These tables do not include even integers (whose 
least prime factors are obviously 2) and integers with 5 as the rightfnast digit {with a 
prime factors 5). Note tf no least factor is given for an integer, the integer Use] J' is a 
prime (its least factor is i r|e%). 

To find all factors of anrtatfiger less than 1000, first find the least facte* divide the 
number by this factor, and s?a0$(b the table again to find the second factor* and so on, 

Example LI O 

To find at! factors of 693, wc use the f ol3jg*dng stcy:*; 

1 . The tost factor of 693 is 3; 693/3Q3 L 

2. lhe teast factor of 231 is. 3; 23 m 

3. The least factor of 77 is 7; 77f7^ 11. Q 

4. The integer 1 \ is itself & prime, Thcrefor^^93 = 3* x 1 x 11. 

To find ail factors of 722, wc use the following &tep*p~ 

1 . The number is even, so the least factor is obvioudf j£ 722/2 = 36 L 

2. The least factor af Jfil U 19; 361/19 = 19, O 

3. The integer 1 y is itself a prime. Therefor, 722 =- 2 x^S.9 - 

O 

Example I J q 

To find all factors of 745. wc use the fo) lowing skps; 

1. The number is divisible to 5. so the least factor is obviously Si 745/5 =■ 149, 

2. The integer 149 is itself a prime. Therefore^ 745 = 5 x 149- 



PENDIXI PRIM 



Tablet J 



E^CTQRS OF INTEGERS LESS THAN 1000 

_ * 

Lixtft factor of integers in Ike range I 
L E li>n 



F. means I f-pst factor) 



I 

3 
7 
9 

11 
13 
17 
19 



27 
31 
^7 
41 
47 



59 
61 
63 
67 



71 
73 
7? 
79 



&3 
*7 

&9 

91 



3 

3 



3 
3 



7 
3 



3 



3 

7 
3 



t 



I I ■: 



I 17 

1L9" 

121 

123 

127 

129 

!3I 

133 

137 

139 

141 

143 

1 4-7 

149 

151 

1.-53 

L57 

159 

161 

163 

S67 

t69 

171 

173 
17? 
179 
151 



137 

191 
193 

til 

199 



3 



3 

3 
7 



221 
>Q 223 
rfp7 



3 

n 

3 



3 
7 

IS 
13 
3 



3 
11 

3 



201 

203 
207 
209 
211 

213 

217 



237 S\ 

239 



241 
243 
247 
249 
25 E 
253 
237 
259 
261 
263 
261 



211 

273 
277 
279 
2£! 
283 
2S7 
2&9 
291 
293 
297 
299 



■7 

11 

3 
■ 7 
3 

. 13. 



.i.j i 



f> 



3 



3 

3 



7 

17 

3 



3 
13 



1 J ]{it&geri 



301 
303 
307 
309 
311 
313 
317 
319 
321 
323 
327 
?29 
331 
333 
137 
339 
343 
343 
347 
349 

^53 

V 



7 

3 



■ 



11 

3 



3 

11 

7 



3 

3 



36aP^ 3 

367 
369 
371 
373 
377 



3SI 
3S3 
3S7 

339 

m 

393 
399 



7 

[7 

3 



401 
403 



409 
411 
413 
417 
419 
421 
423 
427 
429 
431 
433 
437 
439 
441 
443 

447 
H<D 

■IS 

■153 
457 
459 
461 
463 
467 
469 
471 
473 
477 
479 




PRIME FACTORS OF IN1TLGERS LESS THA N J 000 629 



TaljEt! 1^2 Lvait fitL-ivr r>f iriixger in j/zf wing? 501—W(X){!- F meow feast factor} 



5- 

V?! 




so? 

511 

$n 

M7 
519 




L K 



527 
529 

533 
537 

541 



547 
549 
551 

559 
561 
563 
567 
56=) 

571 

573 

557 

579 

531 

583 

5S7 

5S9 

591 

593 

597 

399 



fnieger 



6(11 
603 



My 

611 
613 
6L7 
6 ID 
621 

-\+S 623 

-627 



17 
23 
3 
S3 
3 
7 



3 

19 

7 

13 
3 



3 
7 
II 

S9 

3 



6£*>* 

G3VA 
639 v 

641 

643 

647 

649 

651 

ft51i 

657 

659 

661 

663 

667 

669 

671 



677 
679 

m 

683 
6S7 
639 
69 I 
693 
697 



L E 



3 
]3 



7 
3 
37 

7 



Integer 



701 
703 
707 
709 
711 
713 



3 

23 
3 
11 



7 
3 

3 

17 



719 
721 
723 
72™ 
729 
731 
733 
737 
739 
74-3 
743 
747 
749 
751 
753 



LE 



19 
7 

3 
13 
}. 

7 
3 

3 

17 

11 

3 

t 

3 

3 

767 rCN 13 

769 
771 
773 





O 



777 
779 

im 

7S3 
787 
7(J& 
79] 
793 
797 
799 



k1 

S9 
11 

3 

3 
7 
3 

17 



B07 

m 

811 
813 

ai7 
siy 

&23 
827 
829 



833 
S37 
S39 
S4i 



847 
849 

#51 



857 
859 
861 
863 
S67 

in 

873 
K77 
879 

cJS 




3 
11 

3 



3 

19 

3 



3 

■; 

3 
29 

7 
3 

23 



Inieg 



3 
U 
13 
3 

3 



7 
3 
19 

3 

29 



901 
907 

909 
yn 

913 

917 

919 

921 

923 

927 

929 

931 

933 

937 

939 

941 

943 

947 

949 
^ 

953 

&37 

959 

961 

963 

967 

969 

971 

973 

977 

979 

981 

$S3 

987 

9S9 

99! 

993 

997 

999 



17 
3 



U 

7 

3 
13 
3 

7 
3 

3 

23 

13 

3 

3 
7 

31 
3 



11 

3 

23 
3 




for Primes 




"Dibit LI showfffffi first primitive roots mdiald a prime for primes less than 1000, 



Table J.l 



Prime 




Prime 



Prbi\€ 



Root 



Prime I 



Raot 



IC3 



■Ml 



401 



57J 



739 



919 



J 



10v 



409 



21 



577 



5 



743 



- 



^29 



3. 



W19 



I 



3 



419 



2 



751 



937 



3 



L 13 



5 



42 L 



2 



^9- 



757 



2 



tl 



13 



37 



19 



L 27 



133 



: 2 



3 



137 



1 39 



43 3 



7 



271 



277 



28 L 



3 



■ J -33 



V 

P *■ 7 .'■ 




443 



399 
607 



7- 



7CE 



947 



7 



! I 



933 



■15 



EOT 



S3 



2 



613 



2 



773 



"■2. 



967 



7&7 



97 5 



,- 3 



23 



29 



I ■'■ 9 



m 



2 •■ ' 



L5L 



6,; 



29?- 



2 



9 



617 



3. 



7<57 



977 



EL 



13 



ft 9 



809 



3 



n S3 



• -3 



31 



37 



41 



43 



47 



157 



i:-2 



167 



V3- 



V73 



179 



307 



311 



5 



317 

3?: 



463 



10 



467 




a. 



479 



3 



487 



2 



63 L 



=3 



991 



.3 



64 L 



3 



821 



997 




3 



/ 647 



II 



3^ 



: 1 ■-• 



2 



H20 



53 



337 



10 



&9\ 



2 



059 



11 



V' 



63 



2i 



191 



19 



Mi 



499 



L93 



5 



3*9 



503 



£7i^ 



7 



S57 



07 



71 



1^7 



3^ 



509 



677 



57.1 



3 



6E3 



JOT 



S-S3 



5 



73 



79 



3 



2-L 3 



6 



60| 



877 







as 



373 



7n: 



2 

■■ ■ ■ , 



S&3 



S3 



227 



2 



379 



2; 



547 



2 



709 



2 



■r>S3 



■2, 



TV" 



101 



229 



V 5 



233 



2?>9 



3S3 



7E9 



BS7 



2 



2-' 



~?1 



907 



5 
2 



337 



o3 



■6' 



9! I 



17 




om Number Generator 



Cryptography aMfl 
wc mentioned th 
rithm \s truly a ran 



donuiess are closely related. In Appendix F. Information Theory ; 
ect secrecy can be achieved if ihc key of the enciphenrteru a!go- 
number. There are two approaches to generating a long stream 
of random bits: osmg^iatura! random process, such as flipping a coin many times and 
interpreting heads and ufis as Cubits and 1-bils, or using a deieumnistie process with 
feedback- The first appro^pb is called a true random number generator (TRNG); the 
second is called a pseuffitfS^idom number generator (PKNG)- Figure K.l shows 
ihesu two approaches. \ 




Figure K.l TUNC and PKNG ^ 

. 



O 



Repealed 
experiments 







> 










stream . 



Short 



Ocrcrmini&lie 



-■! : -.- j 1 1 1 



:l. L'RGN 



— o- 

K,l TRNG O 

Although flipping a fair coin continuously creates a perils Lirarn of bite, it is nor prac- 
tical. There are many natural sources that can produce true random numbers, such as 
sampling thermal noise produced in an electric resistor or measuring the espouse lime 
of a mechanical or electrical process. These natural resources have been used in the past, 
and some of thern have been commercialized, However, there are several drawbacks to 
this approach. The process is normally slow, and the same random stream cannot be 
repeated if needed. 



WDIX K RAtfDO&miMBER GENERA TOR 




K.2 PRNG 



A reasonably random |wam of bits can be achieved using a deterministic proems with 
a short random stream Xfibp input (seed). A pseudorandom Dumber generator usas this 
approach, The generatedS?Qrpbcr is not truly random because, the process that creates it 
is deterministic. PRNGs cfyttc divided into two broad categories: congmential genera- 
tors and generators using er^jkjgraphlc ciphers. We discuss some generators, in each 
category, (T\ 

Cong rutntial Generators y>* 

Several methods use some congruei)1>i^t>eiauons. 

Linear Cangrumtml Generator 

In computer science, the most common tschrijjw for generating pseudorandom num- 
bers is the linear congruent Lai method, ini^upd by Lehmcr. As Figure K.2 shows, 
this method recursively creates a sequence- djfpseudomndom numbers using a linear 
congruence equation of the form x i4r] = fax- + Jjfmod n, where x 0 , called the seed, is a 
number between 0 and rr - h \* 

; JS 

I 1 i ku re KJ1 Une.ar congruentta! pzeu/l&rQnff&m number pencmsor 

O 



.7 



Seed 



j i i 



j, I = {ax j + b) uicd n 




Feedback 



lundoTn 

o 



Example K. I 



V 

The. sequence is periodic, where the period depends one bow carefully the coeffi- 
cients;, a and b 3 are selected. The ideal is to make the period as large as the ^n^duJus n. 

O 

Assume Ehat a = 4,b = 5 r * - 1 7, and ^ = 7. The sequence is 16, 1.9,7; 16, 1. 9, 7. ^hich is 
definitely a pour pseudorandom sequence; tin; period iii. only 4. 

Criteria Several criteria for an acceptable PKNG have been developed during the last 
few decades: 

1 . The period must be equal to n (the modulus). This means lhat, before dae integers 
in the sequence are repeated, all integers, between 0 and n - 1 must be generated. 

2. The- sequence in each period must be random, 

3. The generating process must be efficient. Most computers today are efficient when 
arithmetic is done using 32-bil words. 



SECTION K.2 PWG 635 

Ia. Recommendation Sased on the previous criteria, the following are recommended 
# for selecting the coefficients of the congruence equation and the value of the modulus, 
-r^yL A good choice for the modulus rc, is rbc largest prime number close to the size of a 
wprdi in the computer being used. The recommendation is to use the thirty- lirsl 
>r .Merscnnc prime as the modulus: ft ,= tA^ = 2^-1* 

create a period as long as the modulus, the value of the first coefficient* a y 
ould be a primitive root of the prime modulus. Although the integer 7 is a prirni- 
tiv^Voot of M^, it is recommended to u&e 7* where it is an integer coprime with 
Some recommended values for L ;\nt 5 and 13. This means lhat (a = 7 5 ) 




(M<^) L). 5 



3, For Oic^epond recommendation to be effective, the value of the second coefficient, 
h, shoula fei ztitj, 

^ : 

* Linear Cong men liui Generator: 

mod n, where n = 2 31 - 1 and a = 7 5 or a = 7 1 1 

' O 

Security A sequence jpnerated by a linear congruential equation shows reasonable 
randomness if the prevnvtrt^eommeudations are followed. The sequence is useful in 
some applications where only randomness is required (such as simulation); it is useless 
in cryptography where bosh ©do mness and secrecy axe desired. Because n is public, 
die sequence can be attacked b^ Eve using one of the two strategies: 

a. if Eve knows the vaJue of thi^^ed {x^} and the coefficient a n she can easily regener- 
ate the whole sequence. ^> 

b. If Eve does not know the valueO^ and * she can intercept the first two integers 
and use the following two equalicWjo find jc 0 and a: 





=; in\\ mad it' 





r. 




ix, ma 


^. 1 ' 


rr 














yi7.. 






o 



Quadratic Residue Generator J? 

To mate the pseudorandom sequence less predictable, a quadratic residue generator has 
been introduced (see Chapter 9), x^ + | = mod rf! where called the seed, is a num- 
ber between 0 and n - I . O 

Blum Blum Shub Generator v^X 

A simple but efficient method for generating a pseudorandom number generator is 
called Blum Blum Shub (BBC) after the names of its three inventors. BBC uses qua- 
dratic residue congnjence H but it is a pseudorandom bit generator instead of a pseudo- 
random number generator; it generates a sequence of bits (0 or I ). Figure K,3 shows the 
idea of this generator. 

The following shows the steps: 
L Find two large primes numbers p and q in the form 4fc + 3 n where k is an integer 

(both p and q are congruent to 3- modulo 4). 
2. Select the modulus n—pxq. 



ENDI'X K EA ND&Ati VM HER GENERATOR ' 

\ 

3. Choose a random integer r which is eoprime to n. s 

4, Calculate ihfi seed as x$ = >r sued a. 

/ 5. Generate die IsijWee as x jVL = jc ; z mod n, 

fej Ex trad lliur Iih sftrenificant bit of die generated random integer as the random bit. 

- £ZZ ^— 

Fi gii re K3 ff/ ^m B(uw ShfF^BB C) pseudorandom mmber ge.nemtor 

It yA 

A— V 1 



^= mod fi 



jlv, - seed 



_rr 




Random 



"3: 



Security li ran be proven llitii i T/j and q arMdiswn, the ith bit in the sequence; can be 
found as the least significant bit (if C 



modlfr -1* 



mod rt 



Thi$ rneatis thai if Eve knows the value of p and q t AjfEjcan find the value of the ith bit 
by trying possible values of xq (the value of n is usuaU^ubbe). This means that the 
complexity of this generator is Lbe same a* the factorization of n. If n is Large enough 
the sequence is secure (unpredictable), It has been prove Wujl with a very 1 large n ¥ Eve 
cannot guess the value of the next bit in the sequence even^jm: knows the values of all 
previous bits. The probability of each bit being 0 or 1 3s very^se to 5G percent. 

' «6 

The security of KBC depends on the difficulty ni"tacEWn»n. 



> 

1 1 r y p tos ysiciu - Based Ge n t rators £\ 

A cry ptosy stem such as an encryption cipher or a hash function can s(ts)i be use to 
generate a random stream of bits- We briefly mention two systems that us^jcrypiian 
algorithms. 



ANSI XP J 7 1'RNG 

ANSI X9.17 defines a crypto graphically strong pseudorandom number generator 
The generator uses three 3DES with two keys (encrypt iion^leerypt Ion -encryption). 
Figure KA shows the design. Note that the first pseudorandom number uses a 64-bit 
seed as the initial vector (IV): the rest of the pseudorandom numbers use: the steed 
shown as the next fW The same 1 12-bit secret key (K L and K 2 in 3DE5}, are Lise^d for 
alt tbreelDES ciphers 



section m rRw; <tf 7 



4*. 



V\ gi i itc -4 4 A r 57 X9. 1 7 pseutlorantiom nun\her generator 



Dale and bitir 3 ] - bLl !S* 




The configuration in Ftgurtf K> is the ciphgr-bhck chaining (CBCi mode wc 
described in Figure g.3 in Chapter*^)^-!? uses two stages of the block chaining. The 
plaintext for each stage conies from t^<outpul of the first £DES n which uses ihe 64-bit 
date and time as Lhe plaintext. The citfftfcrtcxt created fasti ihe second 3 DCS is the 
random number: the ciphertext created tivm ihe third 3DES is the next IV for the next 
random number. ^^CN 

The strength of X9 .1 7 can be due to thMoU owing Tacts; 

1 . The key is H 2 (2 x 56) bits. 

2. The date-and-time input of 64 providcs©«™d limestanip preventing replay 
attack. ^ 

3. The system provides sin excellent confusinn-dyTusiosi eJTeel with si* encryptions 
and three decryptions. 

FGf PRNG \p 

PGP uses ihe same idea as X9.17 with several changes. First. PGP PRNG uses seven 
stages instead of two. Second, the cipher is either IDEA or CAST-12& (not dis- 
cussed in this book). Third, the, key is normally !2S hits. PGP PRNG creates three 
64-bit random numbers: the first is used as the IV secret {for communication usin^ 
PGP, not Tor PRNG). die second and the third are concatenated to create a 128-bit 
secret key (for communication usim- PGP). Figure K.5 shows a rough design of PGP 
PRNG. The strength of PGP PRNG is in its key size and in the fact that the original 
IV (seed) and die 1 '28-bit secret key can be generated from a 24-byte. true random 
variable. 



K HAND NUMBER GENERATOR 

-\ 



i arid Lr:.: 



l-'iflv V- 



ke.y 




o 



o 



% 




Cms 



i$plexity 

In computer sciJfotts n we normally talk about the complexity of an al^orjihrn and the 
complexity of a pnftjvn. In this appendix, im give a brief review of these two issues as 
they are related to cryptography. 




L.1 COMPLE^HJY OF AN ALGORITHM 

In cryptography, we need a t<Jo£(o analyze the computational complexity of an algorithm, 
We need an encryption (or (M^jy prion) algorithm lo have a low levei of complexity 
(efficient); we need an algorithm used by a crypLanalyst [to break the code) to have a 
high level of complexity (inefnciejrf)„ In other words, we want to do encryption and 
decryption in a short span of time/bui we wanL die intruder lo h^ve Lo run hen computers 
forever if she tries to break the eodey^ 

The com.pIe.tiiy of an algorithm i^jrmaUy based on two types of resources. The 
Space complexity of an algorithm rcfrf&lo me amount of memory needed to store 
the algorithm (program) and the data. > r^e^ime complexity of ail algorithm refers to 
the anioum of time needed lo run the algorM^ (program) and to gel the resull . 

Bit- Operation Complexity Q 

In the rest ol this appendix we deal only with complexity, which is of more con- 
cern, more common, and easier to measure. Thj time complexity of an algorithm 
depends on the particular computer on which the algt^thtn is to be run. To snake the 
complexity independent from ihe corresponding conipMeii the bit-operation complexity, 
/(pi^K is defined, which counts the number of bit operiti^Qs die computer needs to per- 
form to create the output from an 7%-bit input. A bit opcrtfyoti is the time required for a 
computer to add, subtract, multiply, or divide two single bits or to shift one single bit., 

Example L.I 

What is the bit-operation eomplexity of a function that adds 1 wo inttgersV 
Solution 

Tlie complexity of the operation is f{n b ) - n h , where n b is the number or bits needed la represent 
Uie larger integer. If Che value of the laj^er integer is tf t n h - lav^N. 



Example L2 

What is the bh-opeTafco^omplefcitv of a fusion that mufiiplies two integers. 
Solution ^) 

Although today there arc algorithms avriiabtc to multiply two inters, tramiionalry the 
^_WlWte: of bit operations h flWed eq be when? n b is the isamfe of bits needed to resent 
the larger integer. Ilk- eompkxVr^ ihereiore f{n£-= h^. 

Example 1^,3 (S^ 

What b Lhe bit-opcratioji compiexity^ function [hat adds two integers, eadl having d dedmaJ 
Solution ^ 

The maximum value of a number of ej dcraMT^gits is AT = 10*- i or 10*. ITie number 
bits in ihe input is % = log^ N - ,/ x^io. The complexity is then f(n b ) = dxlngn]Q 

Rvr example, if J = 300 d igj ts ? /{« h ) - 300 ] og 2 1 mm bit operations 

Example L4 V v 

WhiH is the biL-operation complexity of a function than^l^lates i?^A^{if A c Q? 
Solution 

A»unie Mm ihc UM»b» of bite in C » n b (C = 2'% or «„ - logjf ). Tje ooavcadonai ^ponentiadon 
method uses C mulnptKations. Each multiplication operation mMfy £ bit operations (using a con- 
ventional multiplication algorithm). The complexity is there forejinj = CXKf = 2"»x ni Ptoc 
sample, if C es in [he range of 2 1(n < tn h = 1 024}. the cOnveationalVWential method gives us 



™ S m S S if J8#N*£ can d ° 2F 3 taini^t urle nlillbn) bit ofj^fat* pcr second, it 
r2 / 2 =7 seconds (fotevert i<i iwrfnmi ikin n,^,n^ 



takes 2 1 LHH / 3^ = loz4 jjj^gg (forever) to perform ibis ope-ruti on , q 

Example 1^5 ^ 

What is the bit-operation complexity of a function that calculus B = A C (if A < cf uW the fast 
exponential algorithm (square-ant j- multiply method) discussed in Chapter 9? 

Solution ^ 

Wc showed ia Chapter 9 lhat the fast exponential algorithm uses y maximum of 2n b mulnpirc* 
nuni, where, f b is number of bite in the binary representation of C. fech muJtipticahon operation 
need., nj bit operas, r l "he eompEexity is therefore ^ ^*bi£-2n* For example, if C is 
m the range of 2 J ™ (* b = lQ24) p thr f^stexponfcmjal atpoi Lshm cives 



cxpo^iinitjal algorithm gives us 
j /C« b } = 2xi0rM. 3 -2 l x(2 !0 ) 3 = 2 31 



This m^ac^thar If the computer can do (almost one million) hit operation* per second, it 
takes 2- / 2 =2 seconds {almost 34 minutes) to perform this operation. Today computers am 
do this operation much faster. 



SECTION I. J COMPLEXITY OF AN A LtiGRITIIM f ,■; I 



Asymphrtic Complexify 

The whole purpose of complexity 1 is to measure the beh av ior Of algorithms when i% the 
-nj^nherof bits in the input, is very large. For example, assume thai the following shows 
n^R^ornpkxity of two algorithms: 

fi<$±£ *2* k +;5ir b ami Hn^ - 2 rj * h- 4* 

When jii^); small, these two algorithm* behave UiirerenLly; when is large (around 
1000), the/SWo algorithm behave almost the same. The reason is that terms 5, and 4 
are so sma!Lpompared with the term 2"* that they can be totally ignored. Wc can say T 
for large f\{n±) = /^f^b) = 3^ In other words, we are interested in fin h X when n h 
approaches a \£rv Earge number such as infinity. 

V 

Big~0 Notation ^\ 

Using asymptotic coi^>kxity h we can define a standard scale of complexity with dis- 
crete values and assign complexity to algorithms usins: one of these values. One of die 
common standards is oalled Big-0 notation, In this standard, f{n h ) = 0{g(rt b )), where 
g(n h ) is a function oi n h Ceriwed from /{u b ) T using the following three dieorems: 

□ First Theorem. If weC^nfind a constant K such that f{n^) < K x gfin b ). then we 
have f(n\}) - Olg{n^)). fnh theorem can he easily i implemented using the follow- 
ing two simple rules: ^ 

a. Set all coefficients of n b in. i'(«h) lci 1 - 

b. Keep the largest term in /(">^^is g( n h)* afld discard the others. Terms are ranked 
from lowest to highest, as .sh^w^beiow: 




□ Second Theorem. If / E (n b ) = Qfo L H$ind / 2 (/i b ) = 0(g 2 (n b ))f then 

□ Thi rd Theorem. If / , (n*) = 0(g , (n h ) ) aitd©^ ) =s 0(g 2 in b )l Ihen 

Example I„6 # ^ 

Find ihc Bi^-O notation lor/f« h ) = n b + 3/J b + 7, 

Solution V) 

Note that f{n h ) = fi' b + 3#| >* 7 /^Applying the- first rule of tile fir^Uheorem gives = fl h + n b 
+ 1. Applying ihe second cule gives as - Hie fJlg-O notation is OtnjJ). 

Example I~ 7 

Find the flig-O notation for ffn h l - (2" h + f;^) +{j[ h ]og 2 n h J 
Solution 

Wc have-/ j(n h > - (2> + nj|} and / 2 (K h > = (V 0 ^"^- Therefore, ptfgji = Z^nd ^(nj = V^iV 
Applying the second theorem, have ^fn^ = 2^ + "h^g?^ Applying she first theorem a^ain, we 
get =2"K The Big-O noratioa is OQ!*}. 



Example LS 

Find the BigrO notion for f(nQ - rr b [ in h factorial). 
Solution vp 

We know that = n h x 1 ) x - ■ x 2 x L. Each term has the maximum complexity of 0(n b ). 
According to the third theottj^he rotat complexity is n b limes of or 0(n^ h ). 

Complexity Hierarchy - 

The prcvkMJs discussion allow(^jk to rank algoridiir^ based on their bEt-operation. com- 
plexity, Tkble L. I gives coirmiorirl^cls of hierarchy used in literature, 

Tn blc L. 1 fjmptoj fv hierarchy tint) O notations 



Hirran:ky 


\fi Big O Station 


Constant 


0(1) (\ 


Logarithmic 




Polynomial 


0{R^) m whe^ec is a constant 


Subexponendal 


TO^ DSn »- : i l tipktp is a polynomial m \vgn b 


Exponential, 




Siiperexponential 


0{n { p) or 0(2^1$ 1 



An algorithm with constant, logarithmic, and polyrl^ial complexity is considered 
feasible for any size of ^ An algorithm with a^ponerUtin^mi super&cponential com- 
plex a Ly is considered inreasible if rc b is very large. An algrfjHiin with suhexportgntiat 
complex sty (such as " b) ) is Feasible if n b is not very ki 




Example L9 



As shown in Example L.4, the cOmplcxEy tf'coNvenoonal exponentiating^/" r n b ) = 2 n * x n^, 
"The notation I'm lIils algorithm is 0(1"* x n£), which .is even more [rWjjxporsertria[. This 

algorithm es infeasibk if /r h is very targe. q\ 



Example 1^ W 

As shown in Rt ample L.l die complexity of the fast exponential algorithm j* /(*<,.) ^Stf^ The 
Big-0 notation For this algorithm h 0(/^), which is polynomial. This algorithm ls fea^Je- it ® 
in (he RSA eryptosystern. <0 



Example 1^1 1 

Assume that a cry ptosy stem tits u key Ecngth of n h bits. To do a brute-force attack on this system, 
the adversary needs to check 2" h d S ft'ereut keys. This means that the algorithm- needs' to go 
through 2Vstet> P If N is die number of bil operations to do step, the complexity of the algo- 
rithm is definitely f(nQ = rVx 2> Even if is a constant, the complexity of this algorithm is 
exponential, 0(2"*). Therefore, for n l^rge n b , the attack is infeasibte. In Chapter 6", we showed 
that DELS with the 56-bit hey is Vulnerable to brute-force attach buL 3l>ES n with the 1 12-lut i 
not, In Chapter 1\ we also showed that AEfi, with 1 28-bit key is immune Eo this attack. 

i 



is 



4* SECTION L2 COMPLEXITY OF A PROBLEM 643 

. L.2 COMPLEXITY OF A PROBLEM 

louty theory also di scusses the complexity of a problem before writing an algo- 
riW^ for it. To define the complexity of a problem, one uses a Turitig machine 
(dev^d by Alar Turing), a machine with an. infinite amount of memory. Modem com- 
puiersyafy realistic manifestations of the theoretical Turing machines. Two versions of 
ihcorclfcakTuring machines are used to evaluate the complexity of problems: determin- 
istic andStfWcEcmnnistie, A nondeterministic machine can solve harder problems by 
first guessmgtjte solution and then checking its- guess, 

Two Broa<f^pftcgories 

Complexity metifi^ivides all problems into two broad categories: undue triable prob- 
lems and deddabl^robicnis. 

Utideciuable Frahle^if 

An undecidahie prabl&qfis a problem for which there is nu algorithm that gan solve it. 
Alan Turing proved, that famous halting problem h undcei.dab!e. The halting prob- 
lem can be simply stated a^fbllows: "Given an input and a Turing machine* there is no 
algorithm to determine if thSTp^chiuc will eventually halt.* 1 There are several problems 
in mathematics and eomputor^^^ict that arc undecidable. 

Decidable Problem* 

A problem is decidahh if an algod™n can be written to solve it The corresponding 
algorithm, however, may or may non3e>feasible, If a problem can be solved using an 
algorithm of polynomial complexity Srletss. it is called a tractable problem. If a prob- 
lem can be solved using an algorithm oiWnoneiitiaJ complexity, it is called intractable. 

F, NP, and coNP Complex ity theory uWuTrs tractable problems into three (possibly 
overlapping) classes, P T NP f and eoNF. As *Hnwn in Figure L.l, NP and coNP classes 
overlap and the P class is in the cross secfcmiu)of these classes. Problems in class K 1 
{P stands (or polynomial) can be solved by a dctc@inisde Turing machine in polynomial 
time. Problems in class NP (NP stands for nonxlet^ftninixtic polynomial} can be solved 
by a nondeterministic Turing machine in polynomial time. Problems in class coNP 
(coNP stands for complementary noTidgterministic polynomial} are those problems 
whose complements can be solved by a nondetermtnistk Turing machine. For example a 
problem that decides if an integer can be factored into tUiQ^imes is the complementary 
of the problem that can decide if a number is a prime. In dffMr words, "can be factored"" 
is equivalent of LE is not a prime." 1 

Figure Ul Classes fl NP and eoNP 





L.3 PROBABILISTIC ALGORITHMS 

If a problem is inlr&SW we may be able to find a probabilistic algorithm fur it. 
Although probabilistic ^orithms do not guarantee ihat the solution is error-free die 
probability of error can ^Wde very small by repeating the algorithm using several 
different parameters. A pw^bilisEie algorithm can be divided into two categories: 
Monte Carlo and Las Vega.i, Q 

Monti; Carlo Algorithms \^ 

A Monte Carlo algorithm is a yes/no^6cision algorithm: the output of the algorithm is 
cither or np. A ^biased MontA^a algorithm gives a yes-result with probability 
1 (no mistake): it gives a no-result wWfnrobabiliry c {possible mistake). A no-biased 
Mottle Carlo algorithm gives a nc-resulUjth probability 1 (no mistake); it gives a yes- 
result with probability e (possible imstak$)>We saw in Chapter 9 that a Monte Carlo 
yus-biased algorithm forprimaliiy can test t^'e if an integer is prime. Tf the algorithm 
returns "prime,' 1 we are sure that the integer^prime; if it returns "composiV the 
number can be prime with a small probability. ^> 

Las Vegas Algor i f h ms 

A i^s Vegas algorithm is an algorithm that either succeeds or (ails, if it succeeds it 
always returns a correct answer. It it fails, there is no air 




O 



PGP (ChapterM^) uses the ZIP data compression technique. ZIP, created by Jean-lup 
Gailey, Mark Ad^.and Richard Wak-s, is based on an algorithm, called I.Z77 (Lempel- 
Ziv 77), devised byJ^cop Ziv and Abraham Lenipel. In LtiiK appendix., we briefly discuss 
LZV as the basis for 

4 

M.l LZ77 ENCODING 

LZ77 encoding is an ex:amp(^bf dictionary-based encoding. The idea is to create a 
dictionary (table) of firings ^sed during the communication session. If both the 
sender and the receiver have a/^py of the diclionary 5 then already -encountered 
strings tan be replaced by their indices in the dictionary to reduce the amount of 
information transmitted. > ' 

Alrhougb the idea appeal's si mptai/ several difficulties surface in ibe implementa- 
tion. First, how can a dictionary be ct^tpk for each session^ It cannot be universal due 
10 its length. Second, how can the recdv^^cquire. the dictionary made by the gender? 
If you send the dictionary, yon are sendinj^£fp data, which defeats die whole purpose 
of compression ¥ ^ 

A practical algorithm that uses the idea of^aptive dictionary -based encoding is 
Lhe LZ77 algorithm. We introduce the basic ide&of this algorithm widi an example but 
do not delve into the details of different versions and implementations. Tn our example, 
assume thai the following string is to be sent. We(fi^o chosen this specs lie string to 
simplify die discussion. 

BAABABBBAAEBBBAA<^> 

Using our simple version of the LZ77 algorithm, the process is divided into two 
phases: compressing the string and decompressing the string. 




645 




* 

[n this please, d?ere^tre two concurrent events: building ;m. indexed dictionary and com- 
pressing 3 string ^suHiboJs. The algorithm extracts from the remaining noncompressed 
string the smallest it^iring that cannot be found in the dictionary. It then stores a copy of 
this substring in Che d5^onary h (as a new entry) and assigns it an index ^value. Compres- 
sion occurs when the svrtmiing, except for the iasl character, is replaced with the Index 
found in the dictionary. ijte\process Lhen inserts the index and She fast character of the 
.substring into the compresfced>itJrmg. For example, if [he suhstring is ABBB, you search 
for ABB in the dictionary. YoiMjrid that the index for ABB is 4; Lhc compressed substring 
is therefore 4B. Figure M,l shmA the process for our sample strii 

£ *k 

I igure M .1 Example of LZ7? cn&dkg 

tfi 



Uncompressed 



*BAABAB BB A ABB UBAA 



] 



l> 



11 



C\ Parsed' Siring 



BAARABBBAAGBBBAA 



1 


2 




l : i 


A 


I 



E, A 



■ 



"•T~A~~U— AA'B A BBB A ABBBB AA 



1 


2 


3 




R 


A 


AB 


i 1 



1_ 




I B, A. 2 B 



c 



ah ■ 



^BBBAABBBBAA 



I 


7 


3 


4 




B 


A 


AE 


ABB 





Picked 



1 


2 


3 


4 


5 




n 




AB 


ABB 


B A 





Pursed Soring 



Slring^^v 

U-^VWH B A AB BRR A A 

o 



B n AiTB* 3B, 1A 



■.-<■ 



L 


> 


3 


4 


5 


6 




i.: 


A 




ABB 


BA 


ABBB 


.1 



L- r BA U — BA ABSBBAA 

— 1 o 



1_ 



3 Versed Suing 



j B, A;2B. :>B, IA,4B 



A B BE 



A ti BIS El A A 



1 


2 


3 


4 


5 


6 


7 




B 


A 


A [3 


ABB 


BA 


ABBB 


BAA 





Parsed S tring 



|"b,A^3B,.3B, IA,4B,5A 



1^ 



BAA 



BAA 



B, A, 2B. 3B, J A,-4B. 5A 



Compressed 



~J.a Let us go through ll (cw steps in Figure M- 1 - 

£J Step- 1. The process extracts from the original siring the smallest substring, thai is 
<^ypm in ihe- dictionary. Because the dictionary is empty, the smallest character is one 
' ^iracter (the first character, B), The process stores a copy of it as the firsl entry in 
dictionary. Its index is 1. No part ot this substring can be replaced with an 
iriwj^roni the dictionary (it is only one character). The process inserts B in the 
compressed string. So far, the compressed string has only one character: B, The 
remai^g noncompressed string is the original string without the first character. 

□ Step 2.(^)c process extract from the remaining string the next smallest substring 
that is no^rln die dictionary. This substring is the character A, which is not in the 
dictionary. XljX^process stores atopy oHt as the second entry In the dictionary. Mo 
part of this ffuhatring can be replaced with an index from ihc dictionary (it is only 
one c.har;iCteryThe process inserts A in the compressed string. So tar. the com- 
pressed string 3™ Wo characters: B and A (we have placed commas between the 
■substrings in the compressed string to show the separation). 

Q Step 3jw The proces^^tracts from the remaining string the next .smallest substring 
that is not in the dictiqjf&y. This situation differs fmm die two previous sieps-The 
next character (A) is in ihfr dictionary, so the process extracts two characters (AB ) 
that are not in the dictionlif^The peroess stores a copy of AB as the third entry in 
ihe dictionary, The proc&s^npw finds the index of an entry in the dictionary that is 
the substring without the lasfSeharacter (AB without the last character is A). The 
index for A is 2, so the process rep^ccs A with 2 and inserts 2B in the compressed 
string, *Q 

O Step 4. Next the process exlrac^xrrie substring ABB {because A and AB ate 
already in the dictionary). A copy of/ftBB is stored in the dictionary with an index, 
of 4, Ihe process finds the index of Qw^ub string without the last character (AB), 
which is 3. The combination is iksfcried into the compressed string, You may 
have noticed that in the three previous \ftq^ n we have nol actually achieved any 
compression because we have replaced t$n£/:haracter hy one (A by A in the first 
step and B by B in the second step) and twt^ejiaracters by two (AB by 2E in the 
third step). But in this step, we ha"vc actual I y^dueed ihe number of characters 
(ABB becomes 3R). If the original string has many repetitious (which is true in 
most cases), we can greatly reduce the number of characters. 

Lach of the remaining steps is similar to one of the prccsdmg four steps, and we let the 
reader follow through. Note that the dictionary is used byVtbtsender to find the indices. 
It is not sent to the receiver; die receiver must create die 8*3ionary for herself, as we 
will see in the next section. 



Decompression is the inverse of die compression process. The process extracts the sub - 
strings from the compressed string and tries to replace the i ndices with the correspond- 
ing entries in the dictionary, which is empty at (irsl and built up gradually. The whole 
idea is that when an index is received, there is already an entry in the dictionary corre- 
sponding to that index. Figure- M.2 shows the decompression process. 



X M ZIP A, 



Figure JVL2 iisfimphi oflJJl decoding 



Ji 



Go sup Eta sett 



" RAl2B.v-3B» EA r 4H,;5A, 
-■ - 



_j Parsed String 



1 


2 


l> 


A 



51! 



li 



A, 2B.3B. JA,4B r 5A 



3iA 







1 






B 


A 


AB 



^ r- 



2B.3B. iA.4B.5A 





L 




3" 


4 


B 




AB 


ABB 




F arced Stri ng 



Suing 



!A,^B r 5A 



1 


2 


3 


4 






8 


A 


AB 


ABB 


BA 


< 1 



String 



BA AH AG EH A 







4B. 5 A 



1 


2 




4 


5 


6 




B 


A 


AB 


AHB 


BA 


ABBE 


4 I 



T3 

Parsed Sftrtag 




[gA AB ABBB AA LSHB 




4B 



5A 



] 


? 


3 


4 


s 


6 


7 


B 


A 


AB 


AJBB 


HA 


ABBB 


BAA 



B A AB A SB B A AB BB ft A A 



Paised .String, 

J o 



iA 



SAABABBBAAB^BBAA 



Urj Compressed 



o 

-Q 



Lei u$ go through a few steps in Figure M,2: 

Q -Step L The first substring of the compressed string is examined. H ist B without an 

index. Because rhe substring is not in the dictionary, it is added to die dictionary. 

The substring (B) is inserted into the decompressed string. 
J Step 2. The second substring (A) is examined; the situation is stimLtr no step I. 

Now the decompressed suing, has two characters (BA), and the dictionary has two 

entries, 



SECTION M J LZ77 ENCODING 64 Y 



□ Step 3. The third substring (2B) is examined The process searches the dictionary 
and replaces the index 2 with the substring A. The new substring (AB) is added to 
^\ the decompressed string, and AB is added to the dictionary. 

Gap Step 4* The fourti] substring (3B) is examined. The process searches the dictionary 
Q^nd replaces the tndes 3 with the substring AB, The substring ABB is now added 
Mp<flre decompressed string, and ABB is added to die dictionary. 

We 1<XfueLthe exploration of the last three steps ag an Exercise, As you have noticed, we 
used a Wjjmbeir such as 1 or 2 for the index, in reality, die index is a binary- pattern (pos- 
sibly varijlwe in length) for better efficiency. 

o 

'o 





led and Linear 
sis ofDES 

lj\ this apr^ndix^ebrierly discuss two issues related to the DES cipher discussed in 
Chapter 6: diffrai&MLpid linear cryptanalysis. Thorough coverage of these two issu^ 
sS beyond the scope <jhhis book. This appendix is designed to give the general picture 
jiui .l nK'li'-aLLi)]; J or i ii =-i j>;i-j-_L Lvmirr , 

— % 

HA DIFFERENT^L C R Y PT A N A LYSIS 




Differential eryptanajysis fur HtfiS was invented by Biham and Shamir. In this cryp- 
ftWfysis, the intruder concentrate on ch&sert-ptamiext attacks. The analysis uses the 
propagation of input differences thi^h the cipher. The term difference here is used 10 
refer to [he esdusive-or of two differcntj^puts (plaintexts). In other wonJs B the intruder 
analyzes how P ffi P 1 is propagated dirou^ rounds. 



i'robabiJistic Relations 



The idea of differential cryptanalysis h base 
input differences and ouipui differences. Two 
^zlysis: differential profih ;; and mtmi chamc 



fri the probabilistic relations between 
ions are of particular interest in the 
jps", as shown in Figure N. I. 



[i i gu re N_ 1 Differential profile and njund characteristic 



In 



I 




I. . T 



frobabilie 



Tnhk 



a, Differential Pml t5a 




Round CtuuBcltirisiit 



:ndix n differencial and linea r cryptanmjsis of des . 

Differential Profit 

A differential profi^Kor XOR profile) shows the probabilistic relation between the 
input differences andc^tput differences of an 5 -box. We discussed this profile for a 
simple S-box in ChapfeeLf (see Table 5.5), Similar profiles can be created for each of 
the eight S -boxes in Db&T > 

Round Characteristic QO .. 

A round characteristic is simJ^to a differentia] pn?iile r bin calculated for the whote 
round. The characteristic showf^™ probability tha£ one input difference would create 
one output difference. N'ote that uncharacteristic is the same for each round because 
any relation that involves differences!* independent of die round key. Figure N,2 shows 
fou r d iffere nt to mad characters sties. >r 

— — — ^ 

1 1 i £u re N. 2 $<mw wund characteristics for Hjpertntial crypttmnlysis 

— _ ^ 



f 

jflkLi =x 



Al^ = 00000000] fi 



AR, -0OUG0OtH lt 




AI^ m 400BOOOG M AF fl = i ft 



c. P ±= 







Although we can have many characteristics for a round. Figure N.iCshows only 
font of them. In each characteristic, we have divided the input different© and the 
output differences into ihe left and right sections. Bach left or right diffenenO^ftinadc 
of 32 bits or eight hexadecimal digits. All of these character! sties can be^proved 
ugflttg a program that finds the input/output relation in a round of DES. Figure N.2a 
shows that the input difference of (jt + 00OO0000 E6 ) produces the output difference of 
{*, 00000000] 6 ) with probability 1, Figure N.2b shows the same characteristic as 
Figure N.2a except that the left and right inputs and outputs are swapped; the 
probability will change tremendously. Figure N.2c shows thai input difference of 
(44)080000,6. 04000000,6) Fauces the output difference (00000000^, 040U0QQ0 lfj > 
with probability 1/4 Finally, Figure N26 shows that the input difference ({MMKMKMX) L6f 
60000000^) produces the output difference (0080a200 lfip 6000000 16 ) with probability 
14/64. 



■ 



■ 



SEClfQV N.t DIFFERlWfAL CRYP'I ANALYSIS 



6*3 



A Three- Round Characteristic 

After creation and storage of single -round characteristics, the analyzer can combine 

•^ffereni rounds to create a multiple-round characteristic. Figure N-3 shows a case of a 

Upra - round DES- 

-^3 

FlguifCy .3 A three ■ round characteristic for diffcren iial ctypta noiysis 



ALo = aO08Q0O0 a6 ARo= O400O0OG Hl . 
• — ^ 





P = 1/4 



iR,= 00000000 



oooooooo,,. 



to: In 











1 


Rounds 








*■*■ I " '""^ I 1 h ^** 1 'iTT " 1 






' i" P - ^ rjaYi 1 





lfi 



p = 1 



P=U16 



^ 

In Figure N.3, we have used threeQtxers and only two swappers, because the last 
round needs no swapper, as discussed ^fpfehapter 5. The characteristics shown in the 
mixers of the first and third rounds is the s^fc as the one in Figure N,2b. The character- 
istic of die mixer in the second round is t^^jime as the one in Figure N-2a. A very 
interesting point is that, in this particular case ? >lkc input and output differences are I he 



same (AL3 = ALy and AR3 — AR^), 



Llccn- round cipher. Figure N.4 
is made of eight two-round 



A Sixtecn-Round Characteristic 
Many different characteristics can be compiled for 
shows an example.. In this figure, a complete DBS cT] 
sections. Each section uses the characteristics a and fr v rrfijigiire N.2. ll is clear that if 
the lust round lacks the swapper, the input (x h 0) creates iHj^bvitpuC; (0, x) with probabil- 
ity {1/23 4) K , 



for the sake of example, let "us assume that Eve uses the characteristic of. Figure N,4 to 
attack a sixteen-round DES- Eve somehow lures Alice to encrypf a Lnt of plain texts 
in the form (j, 0), in which the Eeft half is x (different values) and Lhc right half is 0. Eve 
then keeps all clphcrtcxts received, from Alice in the form (0 n jc), Note that 0 here means 
fKKX>G00Q )6 . 



4> 

ENDIXN DlFF&ftgfcTil L AND IMEAR CRYPTANAIYS1S OF DES 

4* 



Figure N ,4 A spleen-round tha racterisiicfor differ ential cryptanalysis 
— — & 




P- t/134 



P = l/ZK 



4 



Finding the Cipher Key ~L 

THe ultimate goal of the intruder in differential cryptaWws is to find the cipher 
key. This can be done by finding the round keys from thVbj^ttorn to the top (K 1fi 
toK,). 



o 



Finding the Last Rnund Key 

If the intruder has enough plaintexi/ciphertext pairs (each with different values &f x% 
she can use the relationship in the last round, 0 =/<K, 6 , x\ to find sopyf the bits in 
K| fi . This can be done by finding the most probable values that make uWrelauon more 
likely. 

Finding Other Round Keys 

The keys for other rounds can be found using other characteristics or using brute- i'orce 
attacks- 



Security 

It turned out thai I* 1 chosen plaintejrlfciphettexl pairs are needed to attack a 16-roui 
DES, Finding such a huge number of chosen pairs is extremely difficult in real-li 
situalions. This means that DES is not vulnerable to this type of attack. 



SECTION K2 LINEAR CftYPTANALYSlS G55 



^ LINEAR CRYPTANALYSIS 

Liiv^cryptanalysis for DES was developed by Matsui. It is a known-plaintext attack. 
The afl^ysis uses the propagation of a particular set of bits through the cipher. 

Li nearcraj R e] at ion 5 

Lmearcr^i&nalysis concentrates on linearity relations. Two set of relations are of par- 
ticular interfe^n this crypianalysis: I bear profiles and round character ikies, as shown 
in Figure N,5.y^ 



FlRnrc N.5 Line 



and mu?jd ch£i/ticiinxiit:Jnr DPS 





sl Linearity Polite 



Tab Li; with, prababiliti ck 



Linear Profile 

A linear profile shows the level of linear© between the input and output of an S-box. 
We saw in Chapter 5 that, in an S-box, eacttfj^Lpui tut is a function of all input bits. The 
desired property in an S-box is achieved ifeachoutput bit is a nonlinear function of all 
input bits. Unfortunately^ this ideal situation djje&not exist in DES; some output hits are 
a linear function of some combinations orinputMrft*. Tn other words, one can nnd some 
combinations of iupui/output bits that can be. mapped, to each other with a linear func- 
tion, The linear profile shows the level of linearityycV nonlinearity) between an input 
and an output. The cryptanaiysis can create eight different tables, one for each S-box, in 
which the first column shows the possible Co mbinatior^of six-bit inputs, 00^ to 3F lfiK 
Find Uie firsl row shows the possible combinations of fcip^bit outputs, 0]^ to F^, The 
entries shows the Level of linearity tor nonlinearity, base^P tne design). We cannot 
delve into the details of how we measure die level of Hne^pfcy, but the entries with a 
high-level of linearity are interesting to the crypta-nalysb. 

Round Ciiaracteiistic 

A round characteristic in linear uryptanatysis shows the "combination ol input bits, 
round key bits, and output bits that show a linear relation. Figure N.G shows two differ- 
ent round characteristics. The notation used for each ca&e defines the bits that must be 
e*clusive-ored together. For example, 0(7 T S h 24, 29) means the exelusive-or of 7lh, 
Rth.. 24th, and 29th bits coming out of the function; K(22> means the 22nd bit in the 
round key; 1(15) means the 15th bit going into the function. 



ENDlX JV Dii fKRmnAL AND UNFA R WWTWALi'SQ Of »£S 

^ 



Figure N.6 AVj rrrf /t.- 1 u ; rW lv'i a rcr r.-/ tTj'tfjf d o' Jfr r linear c ryp t a no lysis 



0(7, 9, £4 



+ (7. S,24,,29} 

| I 1^ ■ ■ ■ ■ ■ ■ T T ■ ■ | 



a. P - 52/64 




0(15)=^ K<42, 43 h 45, 46) © IC291 



R 



o 



(HX 41 45, 4*) 




J 



Tht; following shows she relations {^parl a and b in Figure N. 6 using individual hits. 



l^rt 0(7) 9 0(1!) ?;Ot24>® Qffl!».= 10^-^22) • . 



Part b; H 15) = 1(29) © K(42) © K(43)'.ffi -K(4^ K(46) 



Ira 




4 Three- Hound Characteristic 



r^cLri: 



After creation and storage ol" singfe- round chanacteri sties, the analyzer can combine 
diFfercnt rounds to cre^is a multiple-round tharatvrtstie. Figure N-7 shows a case of 
a three- round DHS in. which rounds I and 3 use fhasanje characteristic as shown in 
Figure N.fia, but round 1 uses an arbitrary charaeleristi 



Figure N i7 A three- round chamaeristic far linear cryptaHaty^!^ 



i!. 1 1 I 

J 1 = 52/64 



X 17, Mi 29) 

r— ji^Tn ■ ■ — r t t a ■ ■ ■ w ■ 




(.IS) 



. o 



T 



Round 2 
i" "J 



4- 



R, 



ftuund 3 
P = 52/64 



■ 



+ 0, S, 2^,29) 



' - - - "I ifTI 



£ L4111..J11 . _l 



o 



R: 



(22) 



SECTION UNEAR CRYPTANALYSiS 651 

\ 

The goal of linear erypianaly gig is to find a linear relation between some bits in the 
• plaintext, the cjphertext, and the key„ Let us see if we can establish s.uch relation for a. 
Tjjro^nd DES depicted in Figure N.7. 

But L^S) the same as R 1b and R 2 is the same as R^, After replacing, L?_ with R g nnd 
R 2 with R 3 iprj^e second relation, we have: 

Cp 

We can substitute^ j with its equivalent value ta round I, resulting in: 
1^(7* .& 24, m=iicp; S r 34i-29) (WflSj ©.K,(22):.©:il3 ( 15} G RGB) 

This is a relationship he^£^ri input and o utput bits for the whole three rounds after 
be ins reordered: v. 

Uj(7. HH 29) e K,<t5)*M?. 8, 24, 2£>)# B^J 5) ffi gjjfg © -K 3 (22) 
In other words, we have y"^ 

o 



IV ft.! M^.IJ> -i. '' li.V t -■ j ■ -m J"«T- ■ -I I ■■ 



C(7, 3,1S;:X29> * P{7, -&Q^H 2«.©.K| [22} ®K 3 (22) 
Probability X^Q 

One interesting question i& how to find the prd©bility of a three-round (or n -round) 
DES. Maisui proved that the probability In this ca^ts 

!■= 1/2 + 2" Ml (ft- 4/2) 

In which n is the number of rounds, p i is the probabiCt^ of each round characteristic, 
and V js. the tota] probability. For example, the total pQjabilitv for die three-round 

4 



an Lily sis in Figure N.7 is 



F =T 1/2 + 2 3 ■ 1 [(52/64 - 1/2) x ( ] - 1 /2) x ^ 1/2)] ^ 0,69.5 



A Sixteen- Round Characteristic 

A 16-round chaJ'acteristJc can also be compiled Co provide a linear reJEitionship between 
sornepltiinEcxL bks 3 some ciphertext bits., and some bus in the round keys, 

Ctsome bitl) * P(wfl)fi-Wts) ® K{^hi bit.) ® ■ » © K l6 ( £ ume bits). 



JDIX N QIFFEkI&PFIAL AND UNEAR CR YFTANALYSfS OF DES 

Attack 

After finding and storing many relationship between s^me plaintext bits, ciphertexl bits, 
and round- key bits. EWc^ti access some plain iext/ciphertext pairs (known-plaintext 
attack) and use the con^ponding bits in the stored characteristics to find bits in ihe 
round keys. 

V 

Security ^ 

1 1 turned out that 2 43 known p]^(^eAt/ciptiertext pairs are needed to attack a 16-round 
DLLS, ] .niear cry plana lysii k>oks ribfe probable than differential cryptanaly&is for two 
reasons, First, the number of stcps^ Smaller. Second it Is easier to launch a known 
plaintext attack than a chosen-plairti^tf attack. However, [tie attack is still far from 
being a serious treat, to DliS >S 

o 



Simplified DES (S-DES) 

Simplified DEJ^DES), developed by Professor lidwwd Schaefbr of Sam* Clara 

Clpi \ eF **** ***** with * ™n*cr of bite. Readers may choose to study 
tins appendix before feuding Chapter 6 y 

^ V> 




O.l S-DES STRICTURE 

S-DES 15 a block cipher, bs shown in Figure O. J , 



Figure CU Encryptio n and ttccnpti^iuh S-DZS 

- — 



ft-bl( plaintext 




B-hii ciphcrtcTt 



O 



S-biL ciphtcrliLxc 



At the encryption site, S-DES lakes in 



. ,.„,. a , , , plaintotpknd creates an K bit cipher- 

er ,81 the decrypt™ Slte , S-DES take* an S-Mt ciphered creates ax, B-bit SL 
(est 1 he same 10 b 3t cipher key is used for both encryption and decryption 

Lot vs eunqenuate on encryption; later we will discuss decryption. The encryption 
^^^^^Vm^m <P-bo*es), which we call initial and final permuta- 
tions (»!«, called IP and IP~'), and twoFeistel round,. Bacfa round US es a different u-bir 
™ fl d key generated from the cipher key according ,o a predefined algorithm described 

UU ' r 5:1 :|lls '^^^nd.., l--i ? ure 0.2 show> I Ik dementi oi the S-IWS the 

encryption sue. 1 



6^ 



VfXQ 



SIMPUFI^DES (S-DES) 



4. 



Figure 0.2 Gcmr&i structure ijfS-D'ES encryption cipher 

^ 



fi-bii 



S-DES 



J c i i L i. lh L Pflmnutf 



— — 



kuund J 



Round 2 



FiiJLit PcrmutaEiun 



t 



• , * 



Round-key 

generator 



]0-bi! cipher k&y 



^ 

Initial and Final Permutations 

Figure 0.3 shows the initial and final penmuratiorillif^ -boxes) r Each of these permuta- 
tions takes an B-bil input and permutes it according (5^i predefined rule. These permu- 
tations are straight permutations that are the inverses of each other as discussed in 
Chapter 5. These, two peniuiiations have no ci^ptogrdphK>^Lgnifie.iince in S-DES, They 
arc included in S-DES to make it compatible with DBS- 



Fift n re QJs Initial and final p&rn\ utfi tit mx { I P and IP^) 



.; 



,11111111, 




Inisifll 



2 6 3 1 4^* v5 7 



Lahle 



I; 



2 3luunds 



1 

i 

i 



I 2 3 




o 



Fniai-pern-mtasiQii sable 



4 13 5 7 2 8 6 



Rounds 

S-DES uses two rounds. Each round of S-DU3 is a Petstcl cipher, us shown in Figure 0.4. 



SECTION O I S-DES SI K UCFURE <tf 1 



Figure 0*4 ,4 wvnd in S-DES (encryption site) 




4 bits 






K f (E bits) 



/ { H.,_,, K| } , ^ tils 



The round Lakes L ? _ l and 1^„] from the prcviu-us round (or the initial permutation 
box) and creates L[ and R h whio>^o to the. nest round (or the final permutation box). 
As we discussed in Chapter 5 T weS^ui^Ksumc thai each round has two cipher elements* 
a mixer and a swapper. Each of tli^Sjf elements is invertible. The swapper is obviously 
mvettiblK ft swaps the left half of thQbxt with lIil- right half. The mixer U Avertible 
because of The XQR operation. A] I noiu^rtibte elements are collected inside rhe tunc- 
Lion, shown as/(R^{, K 3 ), 

S-DES Function 

The heart of S-DES is the S-DES function, tQj-PES function applies an S-bit key to 
the rightmost 4 bits (R K1 ) to produce a 4- bit o<£tput. This function is made up of four 
sections: ail expansion P»box r a while nor (which adds key) p a group of S- boxes, and a 
straight P-box as shown in Figure OA 

Expnn.^ion JP-box R t . j is a 4-bit input and Kr is an 8(G) key, so we finst need to expand 
R 1H to 8 bits. Although the relationship between die i*fptot and output can be defined 
mathematically. S-DES uses a table to define this P-box/as shown in Figure 0.5. Note 
that the number of output ports is 8 h but the value range is only S to 4. Some of the inpuis 
£0 to more than one output, 

Whitcncr (XQR) After the expansion permutation, S-DliS use* the XQR operation 
on the expanded right section and the round key. Note that the round key is used only in 
this operation. 

S-Boxcs The S-boxes do the real mixing (confusion). S-DES uses two S -boxes, each 
with a 4-bit input and a 2-bit output. See Figure OA 



JDIXQ SlAfPUFf^DESfS-DESl 




Figure OS Expwivon P-frox 



Expansion 

P-bmc 




Expansion pe^mueatidd table 



3 2 3 4 1 




Figure i X(t $-frvxes 



S-bit input 



4 hits 



r 



2 tilts 








'J 


2" 


.J 




I 








il 

: 


3 




I 


0 


J 


0 


2 


l 






3 


1 


3 


2 



TiibJc for 5-bax 1 



4-biT input 



for S-bojr 2 



..^ff ^fr°™* e seccnd operation i s divided into two 4-bk^L s and each 
hunk , s fed .nto a bo,. The result of each box is a 2-bit cbunic; when ibSSconhS 

£ ? eombinahon of bite ] and 4 of the input defines one of foit rows- the 
common of b.ts 2 and 3 define, one of the four col™, as shown in Rgure g^"' 11,6 
Because each S-box has its own table, we need two tables, as shown in Fi fi u£)0 6 

number) and the values of the outputs am given as decimal numbers to save 
These need to be changed to binary. P 

Example O.J 

The input Do S-box I is lOU'h. What is the output? 
Solution 

If *e write tf, c first and me fourth bits together, w c get | 0 in bSnaryi whjch is 2 ^ _ 
St 2Sf ^ U "* 0:5,1,1 - ^ SS 2 ' * 10 - - ^t 1010,' 



SECTfON OJ S-DES STRUCTURE 663 



operation in the S-DliS function is a straight permuta- 
• Lion with a 4-bit input and a 4-bit ouiput Thz input/output relationship For this operation 
t^&ujwn in Figure 0.7 and follows the same general role as previous penalisation Li hies. 



Fi 



,0.7 Sirai^hi P-Rox 

x — 



Sri flight 



I 2 3 4 

i-4 




table 



2 4 3 L 



Key Gmeralio^ 

The round-key genera^r creates two IS^bit keys owe of a 10-bir cipher fcsy, 
Straight Permutation 

The first procesa is a Em^k00m0h: k permutes the 10 bits in the key according 
to a predefined labte, as shoftpin Figure O 8 



Figu re 0.8 Key generation 



• > EO-bLt 
V Q Cipher bey 



Round ^frte 
ke y I 




..Shift 


Left 







5 bdis 



Round / ^ 
key 2 





Coi'i^^ssion. 

P-frflK 



7 



Tuble For straight P-bo* 
2 7 4 30 I 



After the straight perm Nation, the key is divided into two 5-bit parts Each pan 
is shifted left (eircui^hjft) r bits, where r is the round number (J or 2) The two 
parts are then combine^ form a lfrbit unit. See Chapter 5 for a discussion of shift 

Compression Permutation J 

Tlie compression permutation ®bx) changes the 10 bits to 8 bits, which are used as a 
Key tor a round. The compress toi^miutali on Table is also shown in Figure O X 

V 

Example 02 y>* 

Tsble O. I shoves three cases of kev ^encrarlO 

Table O. I ^\ 



Steps 



Cipher Key 
Afki permutation 
After splitting 



Shifted keys; 
Combined key: 
Round Key li 



Rymtll 2: 

Shifter! keys" 
Combine*! kev: 
Round Key "2: 



Car* / 



ion ioo no 

JL100 E03 HO 

L: L [001 R; OHIO 



L: 10()t J R : Ml 00 

1O01M110O 

101I11CK? 



TOOOOCJflApo 



L:01L10 R:lD(]|] 
0111010011 
1 3 010011 



Li QOUOO ^00000 
O0QO0Q0OQ0 • v 
000OOQQO > Q 



in n inn 

1 1 9 lillll B 

L: lni] R: III] 



11111 R: 11113 
ILlllLlIl] 

mum 



L:0W00 R: 
OOOOOOOfTO 

nooooooo 




1111] Rj 11111 
ILlllLlIl] 

^ — 

Uses 2 anti 3 show (but aon« of ihe operations Use d in the key gene AWess is effec- 
tive if the cipher lay ]> made of M ]| 0's or ill I 's. These types of cipher keys needQbe avoided a* 
wscussed ir. Chapter 6. 



S-IJES is very vulnerable to hrute-forcc attack iHKouse ofils key si™ (10 b«% 



0.2 CIPHER AND REVERSE CIPHER 

Using mixers and swappers, we can create the cipher and reverse cipher, each having 
two rounds, The cipher is used at the encryption sire; the reverse cipher is used at the 
decryption site. To make the cipher and the reverse cipher algorithms similar, round 2 
lias only a mixer and no swapper. This is shown in Figure O.9. 

A i though the roar ds ore not at[gncd T the elements (mixer or swapper) are aligned 
We proved in Chapter 5 that a miser is a self-mvertible; so is a swapper The finaJ and 
initial permutations are also inverses of each other. The left section of the plaintext ai 



■ 



SLOUGH 0. 2 CIPHER A NO REVERSt CIPHER 665 



Figu re O .9 S-DES cipher and reverse cipher 



^-bi-t plainlexl 




as 



the encryption site, ft enciphered as a * ^ (teciyption site is deciphered 

Lq. ThE situation is the same with the righf^ssiiJion. 

A very important point we need to re©mher about the cipher* is that the 
round keys {K x and K 2 ) should be applied in th^fe ver$e order. At the encryption site, 
round 1 uses Kj and round 2 uses K a : at the decryption site, round 3 uses K 2 and round 2 

u o 

is no swapper in the sccon 



Example Q.3 




We choose a random plaintext block and a random key, and deiermme what the cipbertext block 
would bcr 




lOQjfr 




CiphcncKt: ]ri«10U 



Lei us show the result oT k:k:1i round and t lit tc.vL created before and after the rounds, 
Tabte 0.2 nrsi shows ihe result of steps before. starting the round. Tne plaintext goes ihrough the 
initial permutation to create complexly different 8 bite. After ttas step, the text is split into two 



DIXO SIMPUF 



Table 0.2 




Tti itial Processfeig - 



Filial PnDoessJug 



faintest: llllOOift 

^ipn ■' % : idbr 

Lt!^OJ> R t :011I 



Bcfolcj&^QUEflli 



tTr * - f 3 I n 



9 



i ,J ii 



Round key : 101 11 100 



Round key: 110I0Q1J 



hal ves, Lq and R^.Thc table shows the n-sjftts, of (wo rounds that involve mixing and swapping 
(except far the second round). The results dflte last rounds (Lg and R^ are combined. Finally 
the text goes through iinaS permeation tocre«y theciphertcxt 

Sot,lc P° int5 816 mentioning here. Pii^he right section out of each round is [he same 
as the left mkuoq 011[ of ihc next round. The itaspn'is that the right section goes through the 
mixer without change, but the swapper moves iiVj^e J eft section. For example, R, pa«es 
through the mixer of the second round without chaW>bul then it becomes because of !he 
swapper. The interesting point if that we do not have a WW r at the last round That is why R, 
becomes R 2 instead of becoming L;. /A 

§ 

rkvause of lb small number of rounds, S-DES ij man vulnerable to 

crypianalyjiEs Shan PES. 



o 

o 



o 




S>rmplihed A*£^AES), developed by Professor Fxhvaid Schatfer of Santa Clara Univ^ 

Itv ^ ^vJt 1 ta ^ Sludents Ieara lhe 5tnjcE ^ of AES using smaller 

blocks and keys. Re^rs may choose to study this appendix before reading Chapter 7 

; -4- - 

El S-AES SlTfecTURE 



S-AHS is a block cipher, as shflTCwn in Figure P. I . 




Hgure P.l Enc ryption and decrypted w fo S-A5S 

- - ^-yf- 



■2 



Lf>bitp]ain[cT! 



S-AES 
cipher 



1 6-bit plajflEcjtt 

I 




At die encryption si.c. 5-AES takes a 16-bit plained creates a 16-bit cipher- 
g*' ai tetexym° ^ t S-AES take* a 16-bit ciphertextWd a 1 6- bit plaintext 

Hie same 1 S-bit cipher key h used for both encryption and decryption. 

Rounds 

S-AES is a DOn-FeisM cipher that encrypts and decrypts a data block of 1 6 bits It uses 
one prc-rotJiid transformation and two rounds. The cipher key is also 16 bits. Figure P.2 



667 







F 'fi urt] p - 2 Oeneml design afS-AES encryption cipher 



Rwild Keys 



. 




■ 


(.1*5 fojte) 


Key 
ex pension 




1 vs 


i 


I'— 

r k 2 


1 .-L 1 





— 



Cipher tey 
(16 bits) 



shows [he general design for the ciwryptitf^Jgorithm (called the cipher)- the decryp- 
tion nlgonthm (called the inverse cipher) is&ar, but the round keys arc applied in 
the reverse order. 

Tn Figure P2, the round keys, which are enq^d by the key-expansion algorithm 
are always 16 hits, the same size as the plaintext Tor ciphertext block In S-AFS there 
are three round keys, K^, K t , and K 2 . * ^> 

Data Units 

S-AES uses fi ve units of measurement to refer to data: bitOrifeWes, words blocks and 
s Liitcs, as shown in Figure R3. v>* 

— V 

Figure P-3 Dtifa units uied in SCAB'S 




BliKk 



H I "i j H 




Kit 



In S-AES, n bi£ is a binary digit mih a value of 0 or 1. We a lowercase letter b to 
reler to a bsi. 



SECTION P.I S-AES STRUCTURE f.r# 



Nibble 

A nibble is a group of 4 bits (hat can be Heated as u single entity, a row matrijt of 4 bits, 
column rnatris of 4 bits. When treated as a row matrix, the bits are inserted into the 
i^mjc from left to right; when treated as a column matrix, the bits are inserted into the 
mlStri* from top so bottom. We use a lowercase bold letter n to refer to a nibble. Note 
thahf^&ble is actually a single hexadecimal digit 

Ward CO " 

A word i^^ijTtiup H bits that can be treated as a single entity, a row matrix of two 
nibbles, ortfcWumn matrix of 2 nibbles. When it is treated as a row matrix,, the nibbles 
are inserted affile mattix from left to right" when it is considered as a column matrix, 
the nibbles are^j&erted into the matrix from top to bottom. We use the lowercase bold 
loiter w to refer st^word. 

Block 

S-AES encrypt and t& data blocks. A block in S- AliS is a group of 16 bits. How- 

ever, a block can be represented s. a row matrix of 4 nibbles. 

in 5-AE5 t a data block is alst|#eJcrrcd lo as a stale. We use an uppercase bold letter S 
to refer to a state. States, like blocks, are made of 16 bits, but normally they are treated 
as matrices of 4 nibbles. In this tfase^each element of a state is referred to as £ r _^ where 
r (0 to I) defines the row and tlie^j^to 1) defines the column. At the beginning of the 
cipher, nibbles in a data block are i^efWd into a state column by column, and in each 
column, from top to bottom. At the enchui the cipher, nibbles m the state are e.\[;acttfd 
in the same way, as Shown in Figure 

& 

I i^ure P.4 Block* i&^&tatc and siaie'to^blockinrnfomtation 



O 



R : -::k 




[%,{] - $ \i - nil 



o 




1 




friwk r 




Mr 










■i 


r 








Hp 


'H 









cau-^cuoel flow 



Block 




ENDIX P SMPLmffr A ES (S-AES} 
Example R ! 



state matrix is then filled up, column 



it; r, 8 m %L c :r w tz:^ s « ** 

by cohimti, its shown i-J^uie p.5 

— %- 

5 Changing riph£ntv& to a 



Figure P, 





H l" j.*M n 1 j 0 


V' 

Block fm{^) 






B 7 9 * 




Structure of Each Round 

figure shows that each transformation take, W e and creates another state to 
ba used for th, next t^^ or ^ hcx[ ^Jg^. 32S2SS 

(MixQflumns transformation is missing). O "ranstormalnms, 

— G 



Figure P.ti ^/rvf Ju jtf ■ ^r/j rtj wrhf at tfit 



encryption site 



SubN'hbJe* 



Si::.k 



j__ SJiEftRow 



■State 



.Suite 



o 



L One Add Round Key is ripon'tH] 
■ before round J . ■ 

I "he [liird if a risrorniai»n 
KlHaicg to round 2. 



o 



Round 



■5 [Lite g 



_At the decrypt™ ^ ih e inverse tnsnsfonnati. 

iy (this one is seff-invertibte). 



1 



SECTION F.2 TRANSFORMATIONS 671 



I\2 TRANSFORMATIONS 

^^rovjde .security h S-AES uses four types of transforations; substitution, ptrmuta- 
1 1 w^ni xi n g, and key-addi ng, We wi 1] discuss each ben;. 

Substitution 

Substitution is done for each nibble (4-bit data unit). OnEy one tabic is used for trans- 
forrnqrioikWcven/ nibble, which means that if two nibble are the same, the transfor- 
mation || at^>(he same. In this appendix, trans formation is defined by a table loolmn 
process, y** 

SubNibbtes V *^ rs 

The first LranKfomisttii^, SuhNibbles, i| used at the encryption site. To substitute a nib 
ble, we interpret theVmbble as 4 bits. The left 2 bits define the row and the right 2 bits 
define the column of ^substitution table. The hexadecimal digit at the junction of the 
now and the column is llrf-toew nibble. Figure P,7 shows the idea 

<± 

figure P + 7 SuhNibWes i™L 



55 





fM.li 









10 


U 




? 


4 


A 


H 




D 


l 


ft 


5 






7 

i ■ 


0 








E 


I- 


7 







01 




;/ 


00 




5 




B 




1 


■; 


8 


F 


/fJ; 


0 


0 


2 


3 


k 


c 


4 


15 


E 



Stnifc 



^trtJ^ibbJ&E tabic 



In the SubNibbles transformation, the state is trt<^d as a 2 x 2 matrix of nibble. 
Trans formation is done one nibble at a time. The cont^n)$ of each nibble is changed, 
but the arrangement of the nibbles in the matrix rematrfkthc same, In the process, 
each nibble i* transformed independently: There are fotfr distinct nibble-to-nibble 
transformations,. 



SuhNibblcs involves (bur independent iiihl>lc-tij-nibble trausl'nr matkip£ r 



I-igure P.7 also shows the substitution table (S-box) for the SubNibbles transforma- 
tion The trans formation definitely provides confusion effect. For example, two nibbles, 
A | r , and B l6 , which differ only to one bit (the rightmost bit), are transformed to 0 ]6 and 
3]^ which difTcr La two biis. 




InvSvbNibbles 

InvSubNihfoles is ihe^mverse of SubNibbles, The inverse transformation is also shown in 
Figure P.7. We can ^t^^chock that the- two uransform^tions are inverses of each other. 

Example Q 

Figure RG shows how a state nibtosformed using che SubNibbks cS^onimikin. Hie figure also 
show*, that the InvSubNibbles iX^sfbrmatioa creates the on gin a] slate. Note ihat if the (wo nib- 
bles have the same values, their ta^fonnatioD are also the same. The reason is than every nibble 
uses the same (able, 

* % . . 

]■ t£ Lire I Mi StthNibble (ransformatiiji^) Example F.2 



+ 
















h 1 



^1 






JJ 








Sl;i!e 



lion 

Another transformation found in around is shifting, which Bfcnrndtes the nibbles. Shift- 
ing transformation in S-AES is done at the nibble level; ttewAer of the bits in the nib- 
ble is not ch an ged. V £X 

In the encryption, the transformation is called ShiftRuws and the shff&ig h to the left. 
The number of shifts depends on the row number (0, 1) of Hie state nmrftjt. This irieans 
row 0 is not shifted at all and row ] is shifted 1 Dibble, Figure P. 9 stibws ihe shifting 
transformation. Note that the ShiftRows transformation operates one row* at a time 

O 

0- 



Fi^tlt f ¥/) Shi ft It/ >ws ;nir\.\jh rma tkm 



Sh i ft Row 



A 





f; 








— \ ■■ 


- — - 






Row <k no shift 
Row 1 : 1-nibble shift 



1 



L 



State 



Sracc 



\ 



SECTION TRANSFORMATIONS 673 



• In OiLr decryption^ the transformation Is called ImShifiRvws and the shifting i* to the 
The number of shifts is the same as the number of the row (0, 1) in ihe state 
uvtfmjL 

4> 



v^ie ShiflRows and fnvShiftKows transformations are inverses of each other 

03 : — — ■ 

Example 

Figure P. 10 stS^s hnw a staEfi is transformed using ShiflRows. The figure also show* that the 
InvShiftRows transformation. trebles the original slate. 



Figure P. 1 0 ShijO$)fs imnsfommrian in fi^fe P 3 





Stake 



Mixing 

The substitution provided by the SuE^bblos br&nsformation changes the value of the 
nibble based only on the nibble's origuQ value and an entry in the table; the process 
does not include the neighboring nibbles^^can say that SubNibbJes is an intra-nihhle 
transformation. The pemmtation provided tQ^he ShiftRows transformation exchanges 
nibbles without permuting the hits inside t^kytes. We can say chat ShiftRows is a 
Kibble-exchange transformation, We also n&Lm utter -nibble transformation that 
changes the bite inside a nibble, based on the bWkside the neighboring nibbles. We 
need to mix nibbles to provide diffusion at the bit (cvcl. 

The mixing tra reformat ion changes the contentoof each nibble by taking 2 nibbles 
at a time and combining them to create 2 new rjibbles^I^ guarantee that each new nib- 
ble is different (even if the old nibbles are the same), the^ombinadon process first mul- 
tiplies each nibble with a different constant and then tm^ihem. The mixing can be 
provided by matrix multiplication. As we discussed in Chafrfer 2, whet) we multiply a 
square matrix by a column matrix, the result is a new column matrix. Each element in 
the new matrix depends on the two elements of the old matrix after they arc multiplied 
by row values in the constant matrix, 

flAixColumrui 

The MuzCvlumns transformation operates at the column level; it transforms each col- 
umn of the state into a new column. The transformation is actually the mauri* multipli- 
cation of a state column by a constant square matrix. The nibbles in the state column 
and constants matrix are interpreted as 4-bit words (or polynomials) with coefficients in 



'NDfX P SiMPU^itp A E$ (S-A ES J 




GF(2). MitltjpIicMbu of bytes is done in GF(2 4 ) with modulus (* 4 +x + I ) or (1001 1). 
Addition is the saftte as XORing of 4- bit words. Figure P. 11 shows the W^ColuTrms 
transforms! Son. 

£ 

Figure P.I L MixCahimfAfT^^fonrrntioti 




fVtuCol 519 











WW 






1 4 




— IT 

9 2 


4 f 




2 9 



fitstc 



InvMixColumns: v. v 

Thti InvftfixColurtms transformation is hasicau&t^aine as tlie MixCulumns Iran s For- 
mation. If the two constant matrices are inverses (pi' each other, h is easy to prove that 
the two t ^informations arc inverses of each other. 



The MixColumns and InvrviixCahuians transfoimatio^iic inverses of each other. 



Figure F: J 2 shows how a stale is transformed using the irans formation, 

The figure aEso shows (hat the fnvMkColiurins transform ELrroiiy^pkfiS the original one, 

-^r© ■ 



Figure P.12 Tj/if Mu.Ct?himn£ (rnnsfnrmntfon in £xamj?k 7.5 



r. 



ft c 

F F 



7* 

r s 

4 A 





lnvtafat Columns 









State 



Note that equal byte* in the old stale, arc not equal any more in the new stase. For 
example, the two bytes F in the second row are changed to A and A. 

Key Adding 

Probably the most important transformation is the one that includes the cipher key, 
All previous transfonnations use known algorithms that are invertible. If the cipher 



SECTION FJ KET EXPANSION 675 



^kty is not added lo the state at each round, it is very easy for the adversary to find the 
^ plaintext, given the cipherrexi. The cipher key is the only secret between Alice and 
Bpb in this case. 

v^?" AES UBtM a process called key expansion (discussed later in this appendix) thai 

crc^fcs three round keys from the cipher key Each round key is 16 bite long it is 

lica^Pra two 8-bit words. For the purpose of adding the key to the state, each word is 
.considered m a coin nm matrix, 




i4 ddftoiin&rjiey 

AddEourrdJQ^sQ proceeds one column at a time. It h similar to MixCdmins in this 
respect. MiXpol Limns multiplies a constant square matrix hy each stale column; 
AddRoundKey^s a round key word with each slate column m atria. The operation 5 in 
MixColumns arr^atrix multiplication; the operation* in AddRoundKey are matrix 
addition. The adtfbm is perforated in the GF(2 4 ) field. Because addition and subtrac- 
tion in this field areSWainc, the AddRoundKey transformation is the inverse of itself 
Figure P. 13 shows thrk^J^jundKey transformation. 



The Add lifted Key transforms Lion is the mvtrse of itself. 

— 



Fi gune PJ 3 AddRmmdKiy tmn^iwtutn 




o 




O 



Stoic 



R3 KEY EXPANSION q 

The toy -expansion routine creates three 1 6-bit round key s fet^h one single 16-bit cipher 
key. The first round key is used for pre-round transformation (AddRoundKey); the 
remaining round keys are used for Che last transformation (AddRoundKey) at the end of 
round I and round 1.. 

The key-cxpansion routine creates round keys word .by word, where a word i s an 
array of 2 nibbles. The routine creates 6 words, which are called w 0 , Wj,^.,,,^, 



Creation of Words in S-AES 

Figure R14 shows how 6 words are made from the original key. 



EWD1XP SiMF^HD AES '(S-AESi 



Figure P. 1 4 



if words in S-AES 



Round I 



Konrart 2 




n 2 71 1 




W L 



J 



if 



iiVord 



HConJ.vj 




RO>n[JJ^fi0 lfi 
i 



Maki»£ of U (temporary) words i ~ l^vphert N r 'is the rainvrl number 



The process is as follows: 



rYnn 



h The first two words (w (]l w A ) are made froBi the cipher key. The cipher key 
is thought of as an array of 4 nibbles {n 0 tt*Jy 3 ). The first 2 nibbles [n 0 to n j) 
become the next 2 nibbles (a 2 to n.3) beeom* In other words, the concate- 
nation of the words in this group replicates the riptia key r 

2. The test of the words (w- for i = 2 to 5) are made M^bws: 

a. If (i mod 2} = 0 b w- s t^ ffi w- m2 , Here- a leinpurarQprd, is the result of apply- 
ing two routines. SubWord and RotWord, on w H amtffcORing the result with a 
round constant, RC[jV r [, where N r is the round ntimbiir^Tn^her words, we have 



HHBBHB L% p 




The words w 2 and are made using this process. 

b. If £f mod 2) £ 0, w p -= w M © w H2 . Referring to Figure P,H, ijus means eaeh 
word is made from the word at the left and the word at the top, TtTs words 
and ffq are made using this process. 

ford 

The RotWord (rotate word) routine is similar lo the ShiftRows Lrans formation, but it is 
applied to only one row, The routine takes a word as an array of 2 nibbles and shifts 
each nibble to the left with wrapping. In 5- AES, this is actually swapping the 2 nibbles 
in 'he wore. 

SubWord 

The SubWord (substitute word) routine is similar to the SubNibble transformation, hat 
it is applied only to 2 nibbles. The routine lakes each nibble in the word and substitutes 
another nibble for it using the SubNibble table in Figure P.7. 



SECTION P.4 CIPHERS 677 

^^Koitnd Crtnsiants 

# Each round constant, R.C, is a 2- nibble value in M/hicb the rightmost nibble is always 
^Jp, Figure P. 14 also shows the value of RCs. 

Exa^E R4 

Table t^ihows haw the keys for each round are calculated assuming that She IG-bii cipher key 
agreed up^j)by Alice and Boh is 2475 

^^expansion example 





^li 2 = 95 ^ 24 = Bl 



\^1^B1 © EC ■ 5D 



r 3 = Bl © 75 = C4 



E 4 = EC 



w 5 - 5D ® C4 = 59 



K 2 = 5D9 9 



In each round, the ealcuJatipn^of the second word is very sample- For the calculation of the 
Tmx word we pje^ to first calcuM^y; value- of (he temporary word (y. as shown below: 



Rat Word (C4) = 4C -i, SultfVorA 




fefe^cflSij - dc:s© so- = 12 c 



R4 CIPHERS 

Now lei us see bow S-AE5 uses- the tour types q^^ansforrnatigns. for encryption and 
decryption. The encryption algorithm is referred to as the cipher and the decryption 
algorithm as the iizvsrjfi cipher. 

S-AES is a non-Feistcl cipher, which means tlratTach transformation or group 
of transformations must be invertibie* In addition, th^Qfiher and the inverse cipher 
must use these operations in such a way that they cartcgQ^ch other. The round keys 
must also be used in the reverse order. To comply with This requirement, the trans for- 
mation-!; E>ecur in a differed t order in the cipher and die reverse cipher, as shown in 
Figure P.I5- 

KrsL the order of SubNibbl.es and ShiftRows is changed in the reverse cipher. 
Second* the order of Mix Columns and AddRoundKey is changed jn the reverse 
cipher, This difference in ordering is needed to make each transformation in the 
cipher aligned with its inverse in die reverse cipher. Consequently, the decryption 
algorithm as a whole is the inverse of the encryption algorithm. Note that the round 
keys are used in the reverse order. 



END1X P WMPl^iED A F.S (S-AES) 

■ ^E 11 ^ ttpher and inverse cipher affhe origiTwt design 




InvShirLRows 

;' 



=55 



w., \v. 



Example P. 5 

Wc cluwisc a random plainly block, the cipher key used i» !^pl e PA and defcurine what Ihi 
cipnenert block would be; \^ 



— * 



Figu re P. 1 Example P. J 



Premund 



1 J 
A 3 



ARK: AddRoundKcj 



Round I 



3 5 
E 6 



3 F 



B 1 

y i 



B 7 



SR 



MC 



D H 
2 S 



ARK 



Ki - EIC4 



in 



si- 



6 4 

7 ft 



ARK 



K 7 - 5EW 



if. 



3 5 

6 4 

3 F 

D 

2 



o 







^scnts some, proofs for theorems used in Chapters 2 and 9, The proofs 
are mo-sEly short informal so [hat they will be useful for students in a cryptography 
course. The render jjfi&rested in mote details can consult books on number theory 

n) Ay £ 

Q.l CHAPTER^ 

This section presents somo^oofs for theorems on divisibility, Euchdczin algorithms, 
and congruence r 

Divisibility • > 

Following are proofs for several ttfecrejns on divisibility. 
Theorem Q.l: Division Relntion (Alfl^jthrn) 

For integer a and h with b > 0, there ca^pn timers q and r such that a = q x b + r. 

. . . _- f ^ ^-c- n": . x> ■ ■ ■ ■ ■ 

Consider to ari thmetic prognssston in the form: sr< ■ 

. , . , ;-3. : x b,r;2x b, r4 k f; 0 xjO^x 6 ■ 2 x b r 3 x j& .... 

If is obvious that integer a is either equal "ig .(roc of the^|B^it .between two consecutive, 
tenrn^ In olheo" worIStG^ ^^Hr, where <j x b is a teftnjn the ^nvB : progression anu ris the 

Thenrcni (A 2 
If a | I, then = ±1. 



9. 



Proof: 



MM 



a 1 1 -fc 1 - i * a, ftfi 'integer, 



This means: (jc &J%n3>j = 1) or (jc" dtftf'<J .■= 



Thciefort: r:^±l. 





Theorem QJ 

If a \ b and h [ a, uH # ^njy= ±b 
Proof: . 

a | b -4 ft - .z x ra, wbcit .Q^^jntego"^ 
fr I h n.!= y x b, where v is^^rcgcn 
We have a ='y x (x xyxj;= % . - . 
'1 tiis means: (jc = I and >■ - 1 ) or ft^-i juid i 
Therefore: a=yx h-^ a ± 5. * i 

Theorem QA v^) 
If A | if and £r | then a | c. VS^ 









Prouf: 



is J-fr -* i x iz, where x is 'an integer. 
& 1 c 1 != y x 6, :whcffe y is : ah integer. 
W*Jfciifc| = >■ x (a 1 %. &) - (y **) x & 
Therefore, s i c. 

Theorem Q.5 

U'a | 6 <md ^ I c t Lhen ci 1 [6 4- c). 



Proof: 

a I -> ^-iex-ffj where x i$ m integer 
a | c j? x wfeere y h eh integer- 
We Ei^ivc^ + t = (jc ij./J x : a. 



■is 3* 




Theorem Q.6 • 

If a | £ and | then a | (m x & +■ >t x c), where m and n are arbhrarv inccgcO 

O 

Proxif; I- 



a | h — i > ^ - a." x a, where x \r an in 





Wfe havi^|?T X /? H- rr x iv m X (x X ^) -HVf .i< (y x ('?: 

'Eliartfeiti, 'a ] (m x;i + ! 




Euclidean Algtirilhms 

Wc used Euclidean and extended Euclidean al^Qjrithms in Chapter 2. Following are 
proofs of two rheoreins related to these algorithms 



SEC? ION Q.l CHAPTER! (&l 

•Ka= bxq+r{>\s the remainder of dividing a by h), then gdd (a, b) = gcd % r). 

wCM^t ^is the sec of cMntn&n divis^ oi'« M l J>. Everv element of £4iv!(Iw a and 
tMerfcre/it £q^gp*a/L»,*$ This' means ihat A" is, i-io sec ofa!] common ttfaoi of 



'4 flcitf pi^*^^ <.™*iJHMl 
anil r, 



■ This mem^^&f^zF -> ilt fr; r!r:L i T frave tfe jfemb !*< . if cojnuicmi^rk. 

As we saw in Chapter^ttiis theorem is the basis of the Euclidean algorithm to find the 
greatest common divjsoyanwo integers. 

Theorem Q.8 C\ 

Ifu and h are integ<«s; notboW^ which zero, then there exist integers* and y such that 
gcd (fl n b) = jrxa H- vk/?. \ 

. . . ... <S> 



A^niethg-l> i& focsct of 0 H= values f^^ jx^ with fie anirfest ctoTizcro ydtij; 



^ i«l>hcs liMLt rjsan .^nber of D.But bcOst ;■ < J. thtn f - 0 of J a 




* is ( Ja£ ocniin^ii^s^qf ^ fln d />. 



As saw in Chapter 2, this theorem is the basis oKh^ extended Euchdean algorithm. 

Congruence # ^ 

Following are proofs of some theorems about congruence (js);d in Chapter 2. 
Theorem Q.9 

If a, b t and n are integers with n > 0. then a^b (mod n) if and only if there exists an 
integer q such diat a = qx,n + b r 




5W 



f he rcmre. we have « (/ x /r •• i>. 
: If fcewi* anihicger^ ut^.tti^^f x « * (Hen a- fr = ff x ft ,> : wMc.h'ra^s n I {« .. A). 



wdix q som: 



Theorem Q.JO 




If a, l\ and n are* infers with n > 0, such thai fl == b (mod -n) r then 

b. - c = b - c (mtjd. a). 
e, fliic = ixf(m(M^ 

P*«of: Nj,is. thai v*b{ma<l nptt j . 

If a. h f .\ d. and n are integers with h > Q, such^at <? = b (jno6 n) and c ^ d (moi it), 
then 

a. a + ca Z? + J(mod ?t). /r\ 

b. s-f- fcj^fe - d (mod fi). 






Piwfr Note that a 

15. (c + c) - (b f e$ stfa - 

tticnet'ore, a-x c a & x d (mod a), . 




Q.2 CHAPTER 9 



a 

is section presents some proofs of the theorems tised in Chapter 9. We leave iSe dis- 
cussion of the lengthy proofs, such as the proof of Chinese remainder theorem, to 
books ill number thenrv. 



r 



Primes 

Wc prove just one theorem about primes. 
Theorem Q-12 

If n is a composite, then there is a prime divisor p such that p&ijn 



I 



\ 

\ 

^ Proof: 



SfCCTlOW Q.2 CHAPTER y 6&3 




[*UA" ft is it convposite;^ axh. 
If /rf|>the smallest prime dfrjEti? ofjj, ttiett|>;^ i'^ip < h. 



J 'h ud 




This LhcorlS^used in th& sieve of Eratosthenes to find all prime factors oJ' w. 



Euier's Phi^nction 

Following are tt^mooh related to the Euler's phi-function. 
Theorem Q.I J 

Ifp is a prime, then *p{flQ% p - I . 
Proof! 

Because pis, a priirie, all mtegflgjess ifaaa A'^^'^^M^^^^y'DpaMi u>/>. : :. . '■ . 

lins theorem is part of the Unless pfci-fhiiction 
Theorem Q, 14 \J 



It /3 is a prime and e is a positive iiiiegci*t|My tfjf) 



Proof: 



ra vir 



The integcrajfiaf ^iBttjcj^ 



in^Ers have th* rtmmpti '."divisor ^^riQi>f. Thu &^a|^J^;i£; eHuse snte^' is ^ ] . The 
rest of the ittfeg&ra jjre relati vely pri me wish p c . 



theorem is another part of Eulcr's phi-f unction. 
Theorem Q>15 

If n is a composite with prime factorization of IT p.-% then $[rff- H 



O 
O 



- pr ] ) 



.... 



Tfce pwf. i&basei 9^ [Jjc -fact [2iai tlic^frj) i^.a'™.^^^ 
■ ^)^-4^).Jf ffliiiiisl ji aft ! relatively, prime. Because -Uie ti^disl^^ n 



This theorem is the generalization of Ruler's phi-function. 



4 

Fernaat's Little Theorem 

Following are pn^pflwo sheorems related to Format's tittle theorem. 

Si <^ 

tt'p k a prime and a is jrfSysitive i linger relatively prime to p, then 'a p ~ x - 1 (mod p|, 

I '™ r: % 

Tt can : be.p^vefi that iht ,reaidm^*d' fie n-rrms a, 2^- : 
(p- lj, but bat necessarily in iha4^<*rdcr. .: 

The result of a x 2^ — iy VkW — Bll 

The result of • 



,',^ : 1E)^ modulo^ are 'I, 2. . 



r^cans [{p - 



Thectifurc, a^ 3 = 1. (mod tfh'ea we difes ftdftiffliE bv [hrS 1^ 




This Lbcurcm is the first version of Fermat^tLle theorem. 

Theorem QJ 7 <^ 

If p is a prime and w is a positive integer, ihen (mod p). 





if a and pare isopriBn*:,- ^v&^E^ri^^.iSjlh sides of .the' ctingeaei^; in^hc reSiiat^fithW-fnt-vi- 
ous theorem u> get a (mod jrt r 

litis Iheorem is the second version of Fennaf s Utile UsctirimVSV 

Ruler's Theorem O 

Following is a proof of one theorem related to the fim version bf l^r's theorem. We 
proved the second version in Chapter 9. • 



Theorem QJtf 

It n and a are coprime* then = I (mod ri), 




o 





n ' . t < -h , 4 : y ... p -v.*f «',-||Wi!i liP^a 

■ ■ .art - r^Efr ■ vl.J^ nll ■ - r*»"3 X^jf ' yj 

. m * J?i - f ^^'jJBll i j &LrP\t Of ? """" ~ ■ i ^j'" J" ' J^iL^ 1 

Assume thu the eJomcnis in Z/ are.r h r^,._ 

^™^ f ' lh * r s ^ ' - ^c.^hj nioldplyifl^ -fcac]&- felenic;;: in Z„' by a. It ulih 

provsii iMt^cEtck-Tnerirni this new stt is >ongxfr«stlEb ekime^i iriZ K * (not rteieassn'rily sir 

Th S ] S | nr r x £ir^x ^ ee n x r, x x ^pMi 

Tht^forc, u ^« 1 (mod a), 




■ 



^ SECTION Q.2 CHAPTER 9 fiSS 

Fund amenta J Theorem of Arithmetic 

^Lowing is a pardat proof of the Fundamental Theorem of Arithmetic, 
Thdrem Q19 

Anjn^tivi; integer ji greater Uian 1 ean be written as ihu product of prime. 

Pd. (V) 

; (V) / ,v. •/ ■ ! .';- :/ 

We use iiram^OT; ^febfi^ fastVS fl = Z, which is' a prima: Roe [he. general -^^-^111116 thai 




itjifr ^ ■1^^^, Becanse;*a and bj&sboih 3cps.&aii ft each , 

caa beL wriudn;:^- tWpjfrtfuct of pnii^'if^-diS^g.-^ilM'^i^ nipLi on. Therefo^- fl can -be 



written a& m prpduft ^mnes 

. " C" 

This theorem h a parfi^ oro-of of the Fundamental Theorem of Arithmetic. To 
complete] y prove this theore(m> we need to show the product is unique. But we leave 
this pan to books on number tj^jpy, 

o 



o 




•o 



additive inverse In modular ari^n^tic, a and b are additive mvcjT5cA of nich nfhcr if + a) 



A % 

AS/1 A member ot^he A5 family of stream ciphers used in the Global System for Mohik 
Commuiucfltiop (GsMK* 

abel iu n ^rai i p A cormftfltati ve group. 

access control A i^urjjy Service mat protects against unauthorised access to data- A] so a 
s&ctirity mechanism that vei^fte^a user's right to access the. tSata, 

acLive attuck An iittack Qrlit may change the data or harm the system, 

additive Cipher The simpIej^ionoalphAbetic- cipher In which each character is encrypted by 
add tug its value w iih a key, » 

i^mEtic. a 

Y 

A eld Round Key In AES, an opcratJomJiat adds a round key word with each si ate column 
matrix. 

Advanced Encryption Standard (ABSj non-Feiste] symmetric-key block cipher pub- 
lished by the NTST. V)* 

Jiffine cipher A cipher thai combines the ^f&iiAu and multiplicative ciphers. 

URRrcssive mode In IKE, a mode that is a cct^ressed version of the coneAponding main 
mode using three message exchange imteiuj of s : .x. q\ 

Alert Protocol In SSL and TLS, a protocol for reputing errors and abnormal ctniffitiungs. 

algebraic stn.ic.li] re A structure consists of a set of ^cijcicnts and operations. tJiat are defined 
for ihc sets, Groups, ring& r and fields are examples of alge^ste s Pictures. 

Q nony mons Diffic-HeUinan In SSL and ILS r the origiB^toifrie-1 lei Irtian protocol 

associativity In an algebraic stmcturc, if a h b Y and c are elements, of the underlying set and * 
denotes one of the operations, die- associative: property giMtfantec* that {a * t) • c = a • (& • r}. 

asymmetric-key cryptosysteim A cryptosyMein that tiitl 1 wo different keys for encryption 
and decryption: a public key for encryption and a private key for decryption 

asy mrnet ri u- key encip herment An cncipbErmeu I u sing an i*symme4ric-key cTyptosystem. 

authentScatioD A security service that checks the identity of the party at the other end of the 
line. 



687 



' SARY *L 

authentication exchange A security mechanism in which two amities exchange a set of 
messages id prove their identity to each other 

Authentication HcAta^AH) A protocol in IPSec that provides message integrity and 
authentication. ■ ' 

authentication server (£)^>The server that p\ m the rote t ,f the KDC in the Kerbcros 
protocol *0 

autokey cipher A stream c i ^ in which each subkey in Ore stream is the same as the previ- 
ous plaintext character. The first 41(6^ is ihc Secret between two parties. 

a vailabilf ly This component of i (tfi^ation security requires ft at the information created 4 nd 
SiOred by an orgnnizarioin to be avai laKfe^authorizfitl entities. 

fi valan ch c effect A ifesired chartetei^ifc in a cipher in which a s maEl change in die plaintext 
or key results in a large change En the elphefpe^, 

B , 

binary operation An operation that takes tw^iirats and creates one output 
biometrics The measurement of physiological o> bcjiavioral features that identify u person. 

birthday problem A classical problem conceTninV^probabiliry that * people have d isdnct 
birthdays where ft ^ 365, ^ N 

hit A hi nary digit with a value of 0 or I , (^) 

hit-oricuted cipher A cipher in which the symbols in fte gjjintext, the eiphertext, and the 
key are birji. 

blind signature* a patented scheme developed by David Chanfu feat allows a document to 
get signed without revealing the contents of the document to the sig^ 

block A group of bits treated as une unit, f\ 

block cipher A typts of cipher in which htocks of plaintext arc ernTrv^d one at 9 time using 
tlie -Same cipher key. JL 

broadcast attack A type of attack on RSA lhat can be launched if on^e^kv sends the same 
small message 60 a group of recipients with the same kiw encryption cxponefc^ 

brute-force attack A type of attack in which the attacker tries to use all possible keys to find 
the cipher key. # 

bucket brigade attack See Mtm-in^wmidtite attack, Q 
by te A grou p of ei gb.t bits. An octet. O 

Caesar cipher An additive cipher with a fixed- value key used hy Julius Caesar. 
CBC-MAC SeeCAfAC. 

certified ti on antho ri ly (C A) An organ izalion that binds a public key to an entity and issues 
a certificate. 

challenge-response authentication An authentication method in which the claimant 
proves that she fai<?ws a secret without sending it. 

ChangeQphcrSpec Protocol In SSL and TLS, the protocol that adow* the movement 
from me pending stzitc to the active stare. 



GLOSSARY 689 



characteristic poJ y norn ia] In an LFSK, Lhe polynomial represents ng the feedback f uncd on. 

thiiractcr-oriexited cipher A cipher in which the symbols in the plaintext, the eiphertexL, 
tjWl the key are characters. 

^Oiinftse remainder theorem (CRT) A theorem that proves that there exists a unique 
-s^jion for a set of congruent equations with one variable if the moduli arc relatively prime. 

chsfcS^-ciphertext attack A type of attack in which the adversary chooses a set of cipher 
te*^ a^jcjTiichow finds the corresponding planned, She- then analyzes the cipheHcKt/ptamtcxts 
patrs tVrfnd the cipher kcy- 

ehosen-Mfejsagc attack An attack in which the attacker somehow makes Alice sign one or 
more mes^ges. The aita-eker later creates anrnher message, with lIlc eontcnl she wants, ajicJ 
forges Alicc'i^sJgnarurc on it, 

chosen-pla int™ attack A type of attack in which the adversary chooses a fie! of plm meals 
and aomchosv ]ffui*£lie corresponding ciphertext*. She (hen analyzes the plamlcxt/ciphcrtcxt 
pairs to fi nd the cipficUtey, 

cipher A decry ptffen an^l/or encryption algorithm. 

cipher Feedback (CKIiUriodc A mode of operation in which each r-bit block is cxdusi ve- 
ered with an r-bil key, w)ycn i i&patt of an encrypted registes-. 

cipher [pluck chaining <\BC) mode A mode of operation fihnil&r to BCB, but each block 
is first exclesivc-orcd. with thtfpWious uiphcrtcxt. 

cipher iluLtc In SSL. and TL^^Ivj combination of key exchange; r hash, and encryption algo- 
rithms. 

ciphcrtexi Tlie message after bei^^Jicrypied. 

cipherlext-only attack A type ofa^ck in which the intruder lis* only the intercepted 
ei^herteft! [o analyze. \ 

circular Shift operation An oprcaulovLmodcrn hlock ciphers thai removes Jfc bits from one 
end and inserts them at the other end, v>^ 

claimant In cnliry authentication,, tlie enutVivSjpse identity needs to he proved^ 

closing attack In the Dbfiip-Hellman memott/a ry pe of aiiaek in which an intruder can send 
many hawkeys to one of the parties, presiding {©they are from different sources The attack 
may eventuaJty result in dental of service. 

closure In tfn algebraic structure, if a and b are clemjpnss of the underlying sui and * denotes 
one ol tlit: operations , the closure property guarantees tha>r\= a » b is also a member of the set. 

CMAC A standard MAC defmed by NIST (FtPS 1 1 3ya^ie Data Authentication Algorithm. 
The method is similar to the cipher block chaining (CBC) 




coefficient In a polynomial, the constant value in each lerrni 

collision resistance A property of a cryptographic Slash function that ensures that the intruder 
cannot : i r: ■ 1 !.wti messages i\\u: h;ish to the same digest. 

column matrix A matrix with only ynu column, 

combine operation An operation in some block ciphers that eoncatenatrs two equal- length 
blocks to create a new block. 

common modulus attack A type of attack on RSA that can be launched if a community 
uses a common modulus.. 

commutative group A group in which the binary operation satisfies the eomrnutHiivc property. 



'SARY ^Z* x 

% 

commutativlty ^ an algebraic structure, if 0 * b are events of flic unifying set and . 
denotes one of the operations, the commutative proper y gxurantces (hat a • fj = £ • a. 
composite A posit&iWger with more than two d i visors, 

composition Compos^n of two functions/and g k defined as s (f (*}), which means that 
hrst the function/ ts sppliej^rhe domain * and then the function* is applied to the range off. 
compression function Action that crates a fixed-size digest out of a wriabta-size message, 
compression F-box A P-lw^i th n inputs and m outputs , where „ > m. 

COiifidentiaiity A security goaf^t defines procedures to hide information from an unautho- 
rized entity. \*\ 

confusion a desired property of a Encipher introduced by Shannon that hide* (he relation- 
ship between the ciphertem and the k&»i$ will frustrate the adversary who tries to use the 
ciphertc*t to I in; I th-j key. \J 

congruence rf n is a posi< i vc integer. iwoiWcrs a and b arc said to be congruent modulo „ 
a = b (mod n ), if a - b = hi, f or some integer 

congruence operator The operator (*) uscd^a congruence relation. 

connection In SSL and TLS. the process that (glows two entires to exchange two random 

numbers and create the keys and parameters needed f^ommunication. 

cookie A text that holds some information about ibeWivcr and must be returned to the 
sender un toothed. V 

Coppersmith theorem attack a rype of attack on rS that can be launched if ®t value of 
the encryption exponent is small. • » 

cop rime See relatively prime. \) 

counter (CTR) mode A mode of operation in which there Yno feedback. It is similar to 
OFB, but a counter is used instead of a shift register. Q 

cryptanalysis 'Hie science and an of breaking codes. A 
cryptographic hash function A function mat creates a muc h shor^Wtput front an input, 
usefll1 ' ™ nmction must be resisfcnt to image, preimagc. and ooHi^afkttycks. 

Cryptographic Message Syntax (CMS) The syntax used in S/MTM^that defines the 
ea act encoding scheme for eaeh contefl t (ypc. Jx 

cryptography The science and art of transforming messages to make them secure ami 
tmnutnc to attacks. • 

cycUc subgroup A subgroup that can be generated using the power of an cl<Q,t in the 
group. q 

cy cling attack A type of atlaci on RSA that uses the fact that the cipher^ is a perfAiion 
of the plainly continuous encryption of the tipheitexi will eventually result In the plaintext. 

D 

data confidentiality A security service designed to protect data from disclosure attacks 
snooping, and traffic analysis. 

Data Encryption Standard <1>ES ) A symmetric-key block cipher using rounds of Fe 
ciphers and standardized by NTST. 

data expansion function In T^S. a function that uses a ptefefioad HMAC to expand a 
sccreL i n to a longer on e , 



^ GLOSSARY $91 

^^daLj integrity A security service digued to protect data from modification,, insertion, dele- 
tion* and replaying. Also, a security mechanism that appends a short ctieckvalue to the data thai 
1 has ]>een created by a specific process from the data itself. The checkvaluc can be use to protect 
i\y injcfrity of data. 

D^^s- Meyer Mhtm A hash function scheme basically the same as the Rabin scheme 
exce(5^j)iat it uses forward feed to protect against mest-in-the-middle attack. 

dec ipttf^iig See decryption. 

dccodtil^^TritSi term has many definitions. In this text, one of the meanings is to transform an 
rt-bit integer/mo n 2 ff -bit string with only a single 1, The p^ition of the single 1 is the value of 
the integer. ^ j> 

deception 'Sc^e.rarnbling of the eiphertext to create the original plaintext, 
decryption algprjjhn] An algorithm used for decryption. 

denial [}f .service ^nic only attack on the availability goal that nsay slow down or interrupt (he 
system. "0* 

determinant A scalfij^valye. defined for a square matrix. A matrix is reversible if ils determi- 
nant is nonzero. 

dictionary attack An a^fa&k in wMeh the intruder is interested in finding one password 

regardless of the user ID . 

differential cryptanalysts A^pe of chastn-pXainitxt attack introduced by Biham and 
Shamir that uses the differential profile of S-boxes to attack 3 pr^dmrt cipher, 

DifTie-Hellman protocol A protocol for creating a session key without u^in^ a KDC, 

diffusion A desired property of a bffiej^phcr introduced by Shannon that hides the relationship 
between the eiplsertextand (he plainlexL^bis w^ I frustrate the adversary who uses eiphertext statis- 
tics ro find the plaintext, 

digital signature A security mecbanism(in)whjch the sender can electronically sign the mes- 
sage and the receiver can verify the message KTprovc that the message is indeed signed by the 
sender. ^^r\ 

DtgttaJ Signature Algoririum (DSA) The tffejJsd signature algorithm used by the Digital 
Signature Standard (DSS). >C \J 

digital strriiatlire scheme A method of systemau^reation of a secure digital signature. 

Digital Sign a- tune Standard (DSS) The digital stature standard adopted by MST under 
FTPS 1g6. ♦ 

digram A two-Setier string, ^\ 

discrete logarithm Hie integer d is called the discrete log@Ehm of a to the base r if = d 
(mod n) ¥ where r is a primitive root of n t and a and n are relativel^erime. 

disiributivity In an algebraic structure with tw operations □ ara *, distributhnty of D over • 
means that for at! fr, and t: elements of the unrJerlying set, we have a □ (h * t) = (u C h) * {u □ <;) 
and (a • h) □ c - {a □ c) • {b □ c ), 

divisibility If a and b are integers and" u ^ 0, we say tfiat a divides b if mere is an integer k 
such itiati =.kX u. 

divisibility test The most elementary deteamiiristie method for a primal sty lest in which the 
number is declared a prime if all numbers less dtan Jn cannot divide it. 

double DES (2DES) A cipher that uses two instance,-? of DES ciphers for encryption and two 
insianecs of reverse- ciphers for decryption. 



ARY 



doub I c transposition cipher A ira n sposi Lion c ipher in which tbe same encry ji [ ion or dec- 
ryption algorithm is relied with two keys or [he same key. 

electronic cookbook (EG^) mode A mode of operation in which each block is encrypted 
inde^ndetttly with the same ciphy key. 

electronic mail (e-mail) An^tronic version of a postal mail system- 

ELGumal cryptnsy stent An a^tf^Jric key cryprosysiem, devised by ElGamal. which is 
&8£s6d on tne discrete logarithm pruoteip^ 

EIGuibI signututie scberafi Hie tffeipi ug^turc scheme derived from the ElGanaal cryp- 
to^ysT-ern using the sunns keys. \ 

elliptic curves Ctifoc equation* in t wo fables of the fu 1 1 owing form: r + & i xy + fc z y ±± ^ +. 

elliptic curves cry ptosy stem An asymm^key cryptosystem has*! on elliptic curves. 

elliptic curves logarithm problem Given cv^poin^ €{ and ^ on an elliptic curve, this 
problem must find the multiplier r such rhal * 2 = r x^ft 

elliptic curve* digital signature scheme (ECDSA\ A digital signature algunthm based 
nil DSA bui using elliptic curvet. ir 



Encapsulating Security Payload (KSP) A pfotc^nWPSK that provides source authen- 
tjeaemn, integrity, and privacy. Qv 

crmpherment See encryption. • v 

encoding "JTie term has many definitions. In this text, one of trs9<r^irungs is to transform a Z* m 
string with only a single 1 tci an n^bii integer The position of the siragfe 1 defines (he v-duc of the 
integer * q 

encryp tlon Producing ciphertext from plaintext using a cryptosysicirP\ 

kniguia machine A machine based on the principle of rotor cipn^>J[ was used hy the 
Uerman army during Wurld War II. ^ 

entity authentication A technique designed to kt one party prove &L[iiy of another 
party, The entity whose identic needs (o be proved is ealied the claimant; meetly that tries m 
prove she tdenrily of the claimant is tailed the veftficx £\ 

ephemeral Diffie-HeUman A version of the Diffie Hellman key exchange proto-coE in 
which each party sends ft Dihne-Heilman key signed by its private key. ' /~\ 

Euclidean aigariUtm An algorithm to find the greatest common divisor of [wo/^srtive 

Euler's ptti-flinctioii A mnction that finds the number of integer that arc both smaJteVfnan 
n and relatively prime to n 

Eltler's Iheorem A generalization of Fermat's little theorem in which the modulus is an 
integer. 

existence of identity In an algebraic structure, if a Is an elemmtof the underlying set and ■ 
defines one of the operations, this property guarantees that there exists an elements called the 
identity element, sticb thac a * e =. e • a = a. 

existence oT inverse' In an algebftMe strucrure, if a is an element of the underlying set and * 
defines one of die operations, this property guarantees thai -then; exists an eSemem n, called the- 
inverse element such that a * a = a » a^*, where e is the identity element. 



GLOSSARY m 



existential forgery A type of signature forgery in which the former may be able to create a 
valid message-signature pair, but imr ohu that she can really use. 

-expansion P-box A P-box with n inputs and m outputs where m>n. 

eemndcd Fuclidcitu algorithm An algorithm that, given iwd integers a and can find the 
vatwe^of two variables, s and f, that satisfy (he equation jXa+JXfr— £cd (a F fr), Tim n(g.orit}ini 
l-jii inxi^firid ihft muliiplicsLtive inverse of art mtegef in modular arithmetic. 

F ® " 

facto rizaL^n Finding at] prime factors of an integer. 

hi!- MCCvptiJ'h^ 3 Litv. if \R) The parameter measuring how oflen the system reoi^ni/e* a 
person who s-h^tftilcl not he recognized. 

false rejectioii^^fce fFKR) The parurncicr measuring how often she system fails to recog- 
nize a; pefson who ^E^dd be recognized. 

Federal Informali^^Pro^i^ing Standard (PIPS] A L-.S. document specifying a data- 
processing standard. ^\ + 

feedback function "LW^netLoii used m a feedback shift register. The input to the function is 
alt cell values,: the output is- thjs value fed to the first cell 

feedback shift register (rofo A shift register with a feedback funcdon. 

FeiEG-Fiat-Shymir prntocoi _A 7cro -know ledge authentication method similar to Fiat- 
Shariux protocol but using a vecMi^f private keys . 

FeLstel cipher A class of product ciphers consisting of both invcrtible and nomnvcrtibJe cum- 
ponents, A Feistel cipher conihineswVionsnvcitiblc elements in a unit (called a mixer in [his 
Lex 1 1 arjd uses the same unit in the encrvujj&n yi%J decryption algorithms. 

Fcrruat factorisation method A facJo^ation method in which an integer n is divided into 
two positive integers, a and b so that n-a 

Fcrmat number A sat of iniegers in Eh^Pr5fm F n - 2 l + L where n is an integer. 
Fern 1 at primal ity test method A primaiT^tcst based on fermafs little theorem, 
hernial prime A Format number thai a phta*! 

Fermat's little theorem hi ihe first version, ir^fk,a prime and n is an integer such thai p 
does not divide a„ then jjF " B = 1 mod p, In l he sixond^ersi&n. if p Is a prime and n is an integer, 
men = a mod p. # 

Fiat-Shamir protocol A zero-knowledge authenii^tyion meiliod devised by Fiat and 
Shamir. 

field An algebraic structure wi(h two operations in which ujp'&eoond operation satisfies all five 
'jrupertLes defined foi me nrst operation exec pi \:ut \.\vz iuonlii/f^crr^n: ul die lmm uperadun ':i::> 
no inverse with respect to the second operation. 

Finite field A field with a h'nite number of elements. 

finite group A ^rciup with a finite, number of elements. 

fixed DifTie-Hellinun in SSL or TLS,, a version of the Difuc-Hellman protocol jn which each 
endty can create a fixed baiT-kcy ifld seud the lialf-keys embedded in a certificate. 

fixed -password A password that is used repeatedly for every access. 

function A mapping that associates one element irt set A, catled the domain, to one element in 
sci B, called the rnnge. 



G ^ 

Galoi.s field See finite fold. 

ZTb^ C ° mm0n ^ty^*^ 1 Possible integer thw can divide two integer a 



group An algebraic strW^Uith only one binary operation dtat satisfies four p«,pcitiw 
closure, associativity, existenc^oPidenlity, and existent* of inverse. 

GuJUou-Qiifaquafer pmtoco^n txtwloii of the Fiat-Shanur protocol in which a fewer 
number i>r rounds c^n be used to petite identity of (he claimant. 

H ^ . 

Handshake Proton] "I, S5L and T^Lhc protocol thai uses merges to ^gotia* the 
cipher suite to auihcnt^ ,he server to ttcnt the client to the server, and to exchange 
information ior building the cryptographic se^rjk. 6 

hashed message authentication Auihenti^ttan using a message digest. 

Imbed meisnge authentication code (IIMA^)' a standard issued by NIST (FIPS m\ 
for s nested MAC 

hushing A cryptographic lechnimte in which a na^gth message digest k crofeJ from a 
vurubi-s- Length message. V\y 

!^ VA ? L „ f A ^ r i a i bi t 1CQSth hllShing ******* »W digest of size 12S, 160. 192. 
224, and 2S5. The block size is 1024 bits. Qv ' 

Hill cipher A polyalphubctk cipher in which the plaintext divided into equal-siz* block.. 
The blocks lire encrypted one at a time in such a way to each cfgac.er in the block contributes 
to Lhe encryption of other character; in me block. > 

Hypertext Transfer Protocol (HTT P) An appfeittim _ ]8ve X^ cc {oT ft We[) 

... 

infinite group A group with an infinite number of elements. *0 
initial vector ( 1 V) A block used by some mode of operations to mitiaiis* ,Q» t 
input pad fipud) The first padding used in the IIMAC algorithm. O 
Integrity Sec data integrity, . 

^^^ilMWiiniaitLoi, I^on-TelecommuiiicationStandAatiftn 
sector u I L-T) An iniernaurmal standards group responsible for communication sh@utl 
Internet Engineering Task Force (IETF) a g™ P working on the design and de<dW 
ment of the TCP/IP protocol suite and the Imcmec. i^p- 

Intcmel Key Exch angc (IKE) A protocol designed to create security association* in IKJec 
Internet Security Association and Key Management Protocol (1SAKMP) A protocol 
designed by the NS A that implements tlie exchanges defined in IKE. 
inverse dp be r The decry pilon algorithm . 

Inverse function A function that associates each clement |o the range with exactly one 
element to the domain. 6 lwly 

cJhcf iXCtllUnmS ^ AtS ' inV " SC ° f ^ ^X^' 11 ™" "Potion used ir, the reverse 



Deration. 



GWSSARY 695 



InvShiftKows In AES, the LJiverse of ShiftRows operation used in ihe reverse cipher. 

LjvSub By tts$ 1 11 AE5. the inverse of Su bBytcs operation used i ti the reverse cipher. 

^internet Protocol Security (IPSee) A collection of protocols design erf by the IETF to 
Vffravide security for a packet at the network level - 

iqrttiurihlt polynomial A polynomial of degree n with no divisor polynomial of tfegree 
IcsSjhtfri n. An irterfucihlc polynomial can no L be factored into a polynomial with degree of 
less E^an ^ 

itcrat&FCryplograpJiic hash function A hashing function in which a function with lixcfl- 
size inpuM^) created and is used a necessary number of rimes. 

Kasiski test Y?£)est to find the key Length in a r^ly alphabetic cipher. 

Kerberos An ^ujhciiLication prosocol, and at me same time a KDC developed &1 MTT as part 
of Frojeci Aihena , ^ 

KerckhofTs principle * A principle in cryptography that one should always assume that She 
adversary knows me^c^ption/dccryplion algorithm, TLserefore, the cipher's resistance to 
attacks must be based onJy on (he secrecy of the key. 

key A set of valuta una* {^cipher, as an algorithm , oper: i : i ■ * n:i 

key complement A sirin^made by inverting each bet in the key. 

key-distribution center (Kl^) A trusted third party that establishes a shared secret key 
tjerween two parties. # 

key domain The possible set of for a cipher, 

key expansion In a round cipher ll^roce-s^ of creating round keys from l he cipher key, 
key generator The algorism that cr^F^s round fccys from a cipher key, 
key-only attack An attack on <\ digital tfLjhjnature in which the attacker has access only to the 
public key. -(C\ 

key material [n SSL and TL5, a variabJejJe^th string from which the necessary keys, and 
parameters for communication arc extracted. ^ 

key ring A set of public or private keys used in^oR 

k€y SChcdlllc See key gxparixiwi. \ 

knnpsaxk cryptrxsy&tem The first idea puhlic-tey cryptography, devised by Merkle and 
Hellman using a knapsack of integers. Q\ 

known- message attack An attack on a digital signatuQn which the attacker has access Co 
one or more meis-age-signaturc pairs. 

known-plaintext attack An astack in which the attacker uses a set of known plaintexts and 
their corresponding ciphericais to hnd the cipher key. 

L 

least residue The remainder in modular arithmetic. 

linear congruence In diis text, an equation of the form nx = h (mod n). 

linear cry ptunaly Sis A known-plaintext attack, presented by Mitsuru Matsui. that uses a 

linear approximation to analyze a bli>ek cipher. 



WARY 

% 

linear ftedback?mft register (LFSR) A feedback shift register in which the feedback 
function U linear. • 

linear Dl op hant i Jie^u^tlons An equation of two variables of the form ax * by * c. 
tin car S-bux An S-bo^rn w hich each om^ [ a linear function ot inputs. 

low-pri vate-exp^nent sfj^d* In RS A, an attack thai can be launched if the private exponent 
is small T 

main mode In IKE any mode rhav-rfsc^a six-message exchange. 

man-in-i He-middle attack An at^kon the tHfBc-HcUmsut protocol in which the attacker 
ftfelS two parties invoived Ln the prontfOy creating two session kevs: one between the first 
party and the attouker, the other between tfi^ffl|aekcr and the second party. 

masquerading A type of attack on integrity information in which the attacker impcrson^ 
:=!es v>rne;K:-,!y eisc. &puoJli}£. ^ 

master secret In SSL, a 48-by<e secret cral&fom ihe fwwer secmr. 

matrix A rectangu far array of t x m elements, ft which Ms the number of rows and m is the 
number of columns. 

Matjas-Meyer-Oseas scheme A dual version <>iChe Davies-Meyer scheme in which the 
message block is used as the key to the uryptosystem. (^) 

m ccl-i n-the-m i ddl e attack In double enciphcrment, « n 4 Hack that tries to fin<I fl plaintext and 
a ciphertext such that the encryption of the first and the decry ptiotfyf me second an: the iM 

Merklq-Damgard scheme An iterated hash fij ncrion that^s dKlision resistant if the «, m . 
pcessimi T-.ni;.-:.::: ,s collision resistant X 

Mt ™ nnc number A set of integees in the form M, = * - I , ™m^ r [S a prune 
Mersennc prime A Mersenne number that is a prime. V>^ 
message access agent (MAAJ A client program that pulls stored iML cs from a server. 

message authentication Proving the authenticity of a sender in i coSi<>nlcss communi- 
cation, Q 

message authentication cade (MAC) An MDC that includes a secret bet<2n two jwut** 
message digest "rt w fiscd-lengd! xri ng cr eated from applying a hash function to a message, 
Message .Digest {MD) A set of several hash algorithms designed bv Ron R.vcsiQd referred 
to a^ MD2 h MD4, *ntl MD5 . O 

message digest domain 'E ne set of possible results of a cryptographic hash function^ 

message transfer agent (MTA) An c~mait component thai transfers messages acids the 
Internet. 

MLIkr-Kabin primary test A combination of rhe Fermat.test and ihc ^« wt « r^r to 
rind a strong pseudopritFiei 

MixColll mils Jn AES, art operation that trsnsfoi n 15 each eo tumn of the stMe to a new column. 

mi^cr [jus FcisTeJ cipher, a self-convertible component made of the ^inconvertible function 
and an exclusive-os u[>eraire>ii. 

MixSows In Whirlpool an operation similar to MixColumns in AES e^cpt that rows, instead 
of colurrtny, are mixed. 




GLOSS ARr &97 



Mivaguchi-Prerjeel scheme An extended version of Maiyas-foleyer-Gseas. In which the 
plaintext, the cipher key, and the ciphertext are all exdusive-ored togeiher to create the new 
^jijgest. 

les of operation A set ttf modes devised to encipher text of any size employing block 
rs of fixed sizes. 

moocjrfl block cipher A symmetric-key cipher in; which each n-bil block of plaintext is 
encrypted to an n-bit block of ciphertext using the same key. 

tnoder^i^treaift cipher A symmetric-key cipher in which encryption and decryption are 
done r bi t^) a ti me usi ng a stream of ke vs., 

modificath^) A type of attack on the integrity of information in which the attacker delays, 
deletes., or charge* information to make it beneficial to herself. 

modification ction A message digest that can prove the integrity of the message. 

modular arithmetic A type of arithmetic in which, when dividing an integer by another, 
oniy one of the outpotsuhe remainder r. is used and the quotient is dropped. 

modulo operator fmodi The operator used in modufar aridimctk to create the remainder. 

mod ulus The divi soft nsBodular ari th rncii 

monoaiphabetic cipher *A substitution cipher in which a symbol In the plaintext is always 
changed m l he same symbo£jjPthc eiphertc-st, regardless of its position in thetext. 

monoaEphuhelic KuhstituLi^n^ipher A cipher in which the key is a mapping between each 
plainiexi character and the corre^f^idm^ ciphert&al tiharacter 

multiplicative Cipher A cipher in which lVie cncryphnri jiU-orithm specific mufc Li pi kali 
of the plaintext by the key and ihe ck^o'plion algorithm specifics division of the cipher! nxi by 
the key. . 

multiplicative inverse En modnJarwithrnclie, a and h multiplicative inverses of each 
other if [a X b) mud n = i . O 

Multipurpose Internet Mail Exiens'io^^lMlMK] A protocol that allows non-ASCII 
daia 10 be sent through e-mail. ^\ 

N O 

National Institute of Standards and Technolo©vXNIST) An agency m- [he U.S. «overn- 
ment that develops standards and technology. 

National Security Agency (NSA) A U.S. inielligenc^aEhertiigsecuriiy agency. 

Need ham -Schroeder protocol A key-exebange prortjcjcd using a KDC that uses multiple 
challenge- response interactions bclwcen panic?. 

nested MAC A two-step MAC. <"p 

New European Schemes for Signatures, Integrity, and Encryption (NESSIE) The 

European research project to identify secure cryptographic algorithms. 

nonce A EiLudfim number that can be used only once, 
nun-Feistel cipher A product cipher that uses only invenibl^ compmiemX 

nontiuear feed hack shift register (NLFSR) A FctMibauk shift register in which the feed- 
back function is nonlinear. 

nonlinear S-ho\ An S-box in which there as at least one output that is not a linear ftmctiort of 
the inputs. 



Iff ^ 

\ 

nonrepudiation A security .service that protects again si repudiation attack by either tfie 
vernier at the receiver ftf tfie dftta. 

noasirijpjiar elliptic An eltapric: curve in which the equation _r' + *ur + A ~ 0 has ihrcc 

di^Linct roots \y 

noreiy richronous stream ^hcr A stream cipher in which each key in the key stream 
depends on a previous p]aanLmcir™clpheftexL 

notarization A security mecrt^m J hat selects a third tm^cd parry lo cocelto! the communi- 
cation between two entities. /r\ 

o y- 

Oakley A ^exchange protocol develoj*4by Hjlaric Orman; it is m improved Diffie-IleUman 

one-time pad A cipher invented by Vecisain m^hich the key is a random sequence of symbols 
having the same length as the plaintext. v. 1 

one-Lime password A password ihiiS is used oSnV^ice. 

one-way function (OWF) A Function that can easily calculated, but the calculation of the 
s nverse: is infeas ible. \> 

optima] symmetric entry ption padding (OAEP) (^method proposed by the RSA group 
and some vendors that applies a sophisticated procedure t<^d a message for encryption using 

order of a group The number of elements in the group. % \^ 

order of an clement tn a group, the smallest positive mtegerV*u>h that - e. 

Gtway-Rees protocol A key-exchange protocol similar to the Nleadham-Schrocder protocol, 
but more sophisticated. 

ou tput feedback (OFB) mode A rnwle of operation similar to S^bur the shift register i s 
update<[ by the previous r-bil key. \j\ 

output pad (opad) The second padding used in the HMAC algoriihmX^ 

p (* 

passive attack A type of attack in which the attacker's goaJ is to obtain information" the 
attack does not modify d^ca or harm the system, ^\ 

password-based authentication The simplest and oldest method of entity aume@:aUon. 
in wh i ch a password is used m i ijen ti fy the clai munt . y^l 

pattern attack An attack on a transposition cipher that uses the fepeated pattern created in 
the ciphertext. 

P*bftX A component in a modern block cipher that transposes bits. 

Perfect Forward Security (PFS) The property of a cryptosystem in which she disclosure 
of a long-term, secret doe.^ not compromise the security u[ ihc future communication. 

permutation group A group in which the set is all permutations of the eEemenrs, and she 
ooerauon is composition- 
pi genu bote principle r lhe principle that if n pigeonholes are occupied by n + 1 pigeons, then 
at least one pigeonhole is occupied by two pigeons. 



« 



GLOSSARY tm 



plain lex: L The message before entry puun or after decryption. 

Playfair cipher A pulyalphabcue cipher in which ihe secret key is made of 25 alphabet letters 
^rkugttl in a 5 x 5 matrix. 

Py&rdp-J factorization method A method developed by Juhn M. Pollard that tads a 
prii^JactDr of ^ launiijer based an the condition \lmp - 1 has no faciei larger than & predefined 
value^a^JsHed (he bound. 

Polard/to factorization method A mi-thud developed by John M- Pollard that finds a 
prime fahnM of a nuntber In which the values output by- Ihc algorithm are repeated, creating a 
shape siTEjiKiMy the Greek letter rho (p), 



polyatphab^fc cipher A cipher in which, each occurrence of a character may have a diFfcrcnt 
jfiibsdtute. 

pi ri ynoniiai AYh*& pre its ion < if the form a^ 1 4 a n _ t ji" - 1 + ■ ^ + a^P, where is ea| t63 the till 
term and is callek^t^jpfficicDt of the ith. term. 

possible weak keys s% m of 48 keys in DES, where each key creates only four distinct round 
keys. v * 

pov^er attack In RSA, aA^aitack similar (o the timing attack that measures the power con- 



sumed during decryption. ^ 

preiinage resistance TheSreWd property of a cryptographic hash function in which, given h 



- : ; ^ ^ ,™ - ■ 7; ~ ^ 

and y = hC^). it must be exirerri^ly difJkull for the adversary to find any message, M' sueh ihat 

prc-maudcr secret In SSL. a secret exchanged between the client and server before calcula- 
tion, of trie master sccrcL 

Pretty Good Privacy (Pt;P) A protect invented by Phil Zimmermann to provide e-mail 
with privacy, integfily, and nuthentjcadon> 

primality test A deterministic or probabmstic algorithm that determines whether a positive 
integer h a prime. 

prim c A posi t- ve integer that i s exactly di vi only two i nle£ers s \ and itself 

primitive polynomial An irreducible poly inXiW that divides **" + 1 r where e k the leasi mitv 
ger in the* form e = 2 k - 1. Q 

primitive root In the group G = ^Z^*, x> r when tW^wJej 'p$ an clement is the same as §(n} ? 
that element is called the primitive root of Lie group, 

private key In an asymmetric-key cry psosy stem, the ke/u^ed for decryption, Tn a digital sig- 
nature, ihe key is used for signing, 

product cipher A. compic* cipher, introduced by Shan nun yjftet combines substitution, pcr- 
ei 1 1 nation, and other components to provide confusion and dsffusS^effects, 

pseudoprime A number that passes several primality test, but it is roe guaranteed to be a 
prime, 

ptieurii irandom function (PRF) In 'TIS , a furxto thai combines two data-expansion ftinc- 
iions, one using MD5 and the other tiding SHA-I 

pubhk key lo an asymmetric-key cryptosystcm, ihe key used for encryption. In digital signa- 
ture, the key is used fur verification. 

publi c-k cy i 1 1 [rustru cturc (PKT) A model for creating and distributing certificates based on 
X-509. 



Q5SARY 



quadra* cra^™- A eo we 

AECrr, itii sent a , fa, c h a ; c K A. L ' 1S Sem 35 If a ******* is not 

R <> 

A " ito " d 4* ^ * M«* I* 

printable chafer. ch » *«i interpreted as r™ 

Modd An w — ■»«■ ^ >y ^ ^ 

RC4 A byte-oriented si ream cipher designed by Ronald Rivest 
Record Vrom In ^ ^ jjjfc the ^ ^ 

related message attack An a r tact ™ * r _ \)\ Y 

eel^liv nnacK 0 n KSA r discovered hv Fri^L ^ r - * , 

-lately prim, tw h*** are ?timc if thcir gTCato( co , 

replay attack Seerepfcymg. ^sorisi. 

replaying A type of wrack on information iMwirv i**M* th~.*~i • . 

**gc and re^ndi it again, mu?gruy m which the attacker mrerc^ the mcs- 

residue Remainder. 

residue cla.^ A set of [east revues. 

revealed private opoitent attack An smart nn uc A ■ . , . 
ring An algebraic structure with twn mMi... -n. a 

crti BS jieoMired for art ibnli-m „r t£ n* httt operatic m« st .satisfy nil ri ve p™. 



GLOSSARY 701 



rotor cipher A monoalphabetic substitution thai changes, (he mappiog (key) between the 
plaintext and the eipheitext characters for each plain Emu characier- 

^j^otWord In AES, an operation similar to the ShiftRows Dperatioo applied to only one tow or 
tyM&ul huhe key-expansiofl process. 

rtmiwi E;ich iterated section in an iterative block cipher. 

rourpE^kcys generation In a modern block cipher, the process thai creates round keys from 
the ciptferkey. 

rtJutingTCorilml A security mechanism that continuously changes different available routes 
between iJ^iecKkr and the receiver to prevcnl the opponent from cavesdropping-on a particular route. 

row matrix^) A matrix with only ^ne row. 

RSA cryptcfi^r^teni The most common public-key algorithm, devised by Rivest, Shamir, and 
AdlcmaiL y^) 

RSA signature sflhf me A dighal signature scheme that ls based on the RSA cryptosystem, 
but changes the rolei^the private and public keys, the sender uses her own private key to sign 
the (Auclliuetu, arid I hk receiver uses the sender's public key to verify iL 

s . £ 

suiting A rncthoJ of imp^fWg password 'based authentication in "which a random string, 
called the salt, is concatcnatcd(fo\he password. 

S-bnx A component in a bloc^^phcr that substitutes the bits in the input with new bits in the 

Schuu-rr signature scheme A djgtcd signature scheme based on die ElGamal digital *igna- 
ture scheme but wMl a reduced sigiaarbfe ^e. 

second preiinagc resistance A desired property m a cryptographic hash function in which 
given M and h(M) the intruder cannot fmuvaiiolher messaged such tbaL hihf) = h(Af). 

Secure Hash Algorithm (SHA) A s^r^e^of hash function standards developed by NIST 
arid published as FIPS 180. It is mostly based {$W>5. 

Secure Key Exchange Mechanism fSKI^Pfflf)) A protocol designed by Hugo Krawcyzlc 
for key exchange mat uses public-key encryption f^jnuly authentication. 

Secure Sockets leaver (S-SM A protocol design^ to provide security «nd compression 
services to data generated from the application layer. ^ 

Secure/Multipurpose Internet Mail Extension (?s/MTME) An enhancement to MIME 
designed to provide security tor the electronic maii v 

Security Association (SA) In IPScc, a logical re-lalionObm! between two hosts, 

Security Association Database (SAR) A twn-dimen&iarfptabSc wldt each row defining a 
single security association {-SA). 

security attacks Attacks threatening the security goals of a system. 

strcu rit v i±u u I •s The three goals of information securi i y: tzoni i den [jaJity, integrity, u] id availabi I i ty . 

.security mechanisms Eight mechanism recommended by ITU-T to provide security ser- 
vices; enciphermenU data integrity, digital signature, authentication exchange, nafuc padding, 
routing control, notarization, and access control. 

Security Policy (SF) In LPScc, a set of prcde lined security requirements applied to .a packet 
when it is if] be sent or when it has arrived. 



% 

Security Policy^base (SPD) a database of security policies (SPs). 

^218 * m ™ S "H******* goals and a[Eacks: ditfa cor , fldenlia i it . ^ 
mtegnty, aathe n t3cat J o<| ; Wpud ration, access COi)lroJ . wmmniiMity, cun a 

selective forge r y A t y „y fa, which «he forger may be able to fom C se n de A ftti 

~ h k ^S^p2 where -* * — ^ - — — 

two^l^f U M g^A^ ^ ■ ~- After asess™ L S established, 

^"cH r ' Ji , f 7* ^ *^ ^ ™ the certificate anhentiog 

secret tfint is used , 0 creal(J keys for me ^ a gf ^hentication encryption, 

session key A secret une-timc bey bciwe^n)^ p^es. 

«| of integer* ft set of * intcgraJ ^ frolT) ncga[ive ^ ^ 

setofresWB^^ Thcsetof positive btage^^dulo^ 

SHA- 1 An £1 lA with a block of 512 bits and a diWof T 60 bits. 

SH A-224 An SUA with a block of 512 bits and a dfe^f 224 bit*. 

SHA-2S6 An SHA with a Hoc* or 5 L2 bits and a digeW^o bits. 

SHAJ84 An S HA with « block of 3 024 bits and a digcsYof 384 bits. 

HHASU An SHA with a block of 1024 bi ls and a digest tJhj^bits. 

shared secret key THe key used in asymmetric-key tryptoSm 

shift cipher A type of addili ve cipher in *hich the lc™ ,wi j. 

end of the alphabet ' ^'^f wf cha «^ toward the 

™St ,T , In WhMp ™' 1 r <° ^ W A^fonnation in AES 

en tcpt that the coiumns, instead of rows, ate shifted. fC\ 1 

shift register A se^ence 0 f „n» where e„ch cej] holds a single bit. Stig& the value, erf bit* 
Wmte*mMm*x>kw s sequence of bits. "^JT " ^ b,1s 

SIuftRows In AES, a cransformaiitin that shifts bytes. ^ 

short-message attack An attack on RSA, in which the attacker knows dJ set of nossible 
Plaintexts and encrypts to find a cipher, ^ivalent to th, on, i^rc^d * ^ 

■ tl a iigiifliure scheme, the psmccss used bv [he serbder 
tSLct^^" 6 M ^ CU ™ J " W ^ mm * - J* = 0 does not have 

something mhercnt A characteristic of the claimant, such as oonvenfioM ftnMiiu fin fl , r 
pn nt s. vo TO , ^.Charac-tedstic,, ^ ^ and handling, used fur J t 



A GLOSSARY 7U3 

^T^orrid hi< i £ know n A secret known an (J fey Lhc claim am th ai can b& checked by lI Lt veri tier in 
entity authentication. 

something possessed Something belonging to the claimant that cat! prove the claimant's 
idciWtf such as a passport, a driver's license* an identification card, a credit card, or a smart card. 

splifrtfWratio-D An operation in a block cipher that s,p]itA a block in Use middle, creating two 
equal-V^tgih blocks. 

spo^ilinf^See rriuwiucrcuftng. 

sc|uart-ji(^)iiiLilij|>h ulj^oritlim A fast exponentiation method in which iwo operations, 
squaring and {S^l Li plying, are used instead of only multiplying operation. 

square malrw^)A matrix with the same number of rows and columns. 

Square root prinjfefity test method A method of pnmality testing based on the fact (hat 
ihe square root of a™&icivc integer modulo n is Only +1 Or -1 . 

state In ARS, a unMcii^data in intermediate stages consists of a matrix of 16" bytes In S-AES a. 
unit of data consists of^njbbks. 

station-to-station protocol^ A method or creasing a session key based on the Diftie-HeHman 
protocol thai usej; pLiblic-kj^certificates to prevent man-in-mc-mlddtc attacks. 

statistical attack ^ 

stc^snogmphy A security (j^tonique in which a message i^ eonocjilcd by covering tt with 
something else. 

straight P'Boxes A P*box wish ^^put£ and n outputs. 

stream cipher A type of cipher in which encryption and decryption are dune one symbol 
(such as n character or a HO ai a Drnu. 

.SiibHvtUH In AES, a uansfomiutkni. ihSnisj^i a Lable Ei> slsovlsiu^ bnc^. 

subgroup A subset H or a group f> is a\ sub* roup of G if IT itself is a group wiib respect to 
die operation on G. 

substitution cipher A cipher that replacea^^symbol with another 

Sub Word In AES, a rotitiue sirnilar to the SubB^Jcs .transformation, but applied only to orte row, 

superin creasing tuple A tuple in which cach^fcrjSlcni is greater than or equal to the sum of 
all previous elements, - 

symmetric-key cryptosysteiTi A cryptosystem in v^Ki^h a singJe secrer key is. used for both 
encryption and decryption 

symmetric-key enciphcrment An enciphcrrncnt using a^mmeiric-key eryptosystctn. 

synchronous stream dph*r A stream cipher in which tluyto stream is independent of the 
plaintext orciphcttext scream, 

T 

ticket An encrypted message interred for entity B, but sent to entity A for delivery. 

tickcl-grantin.g server (TGS) In Kcrbcros, tli^ ser^i that creates tickets for the red server 

time^tamped si# natures A digital signature with a timestamp to prevent it from being 
replayed by an adversary., 

timing attack An attack on RSA hus^d on die fast exponential algarisJini. The attack uses the 
fact That the liming required to do each iteraLiDii is longer if the corresponding bit is, 1. 




iraiTle analysis* type of attack on confidentiality in which the aHaeker obtains some infor- 
mation by moiii [flripg on Line miffjc. 

traffic padding i \Jkijity mechanism in which some bogus data are inserted into the data 
[raffle eo thwart fraffic-^ftifiysis attack. 

Transport Layer Seci^JJy (TLS) A ri IETF version of the SSL protocol, 

transport mode a mciW IPScc that protects what is delivered from the transport layer to 
I he network layer. rC\ 

transposition cipher A ripWipt transposes Symbols in the plaintext tq create the cipheacxL 



Ingram A three-Jetter string. 



trapdoor A feature of an atgtffijfa that allows an- intruder lo bypass the security if she knows 
that feature, ^ 

trapdrtnr one-way function rroVjJ A one-way function that can reversed if one knows 
the trapdoor, >0 

trial division factorisation method ^ simplest and least efrgcieni algorithm to find the 
factors of a positive integer in which all posititfK integer, starting with 2. are tried to find one that 
divider n. ^ v ^ 

triple DLK A cipher that uses tnreeln^ances of DBS ciphers for encryption and 

three instances of rcve™ DES ciphers for decrypt ioW^ 

triple DES with thru* keys A triple DES bupleQitation where there are three keys K\ 
Kfr and ^ 3 Q^) 

triple BES with two keys A sipie DES implementation wjiere there are only iwo key*: K } 
nn d K^. The first and i he third stages use K f - the second itagwlfos % 

tu ruiel mode A made in Ef^Sec that protect the entire IP pae^c>ft takes ftn IP packer, including 
the header, applies IPSee security methods to die entire packet, anti^n adds a new IP header, 

u & 

unconcealed message attack An attack on RS A, based on the\£mi]Cation relationship 
between plaintext and ciphertext; an unconcealed message is a message^Mefjtrypts to itself, 
undeniable signatures A signature scheme invented by Chaum undQa Antwcrpen with 
three components: a signi ng algorithm, a vcri fication protocol and a disavow^rotocol, 
user a^ent (U A) A component in an e-mail system mat prepares the message |ud the envelope. 

v O 

^^^^^^^ 

verifying algorithm The algorithm that verifies the validity of a digital sigmi^L at the 
receiver site. 

Vigenere cipher A polyalphabeiic cipher designed by Blaise de Vjgencrt in which (he key 
stream is a repetition of an initial secret key stream, 

Vigeuere tableau A table used lo encrypt and decrypt in the Vi geaere cipher. 

w 

weak keys A set of four keys in DES vjhert each key, after dropping parity bite, cither 
of all Cs fc all Is. or half Ds ane half Is. 

web of trust I n PGP. the key rings shared by a group of people. 



A, GLOSSARY 70S 

\ 

Whirlpool K cryptosystem based on filtered ABS. 

• Whirlpool hash function An iterated ury piographk bash function, based on the Miyaguchi- 
>neel scheme, designed by Vincent Rijmen and Paulo S. L. M. Barreto, and endorsed by 
tIE. It is based on the^Whiripnol cry pcosiy stem. 




wtYRdv In AES, a grnup of 32 bus t]iiii c^n l>e treated ay a single emUy, a row main* of four 
bytes^^jr^ column matrix of four bytes. 

x <S> 

X*5U9 A^S^onimcndation devised by ITU and accepted by [he Internet that defines certificates 
in a &ljuciureff^ay. 

z K> 

zero-knowledge ^nJhcntiaLtian An entity authentication method in which the claimant 
does not reveal anythkl^that might endanger the confidentiality of the secret. The claimant 
proves lo the verifier that sh*>knows. a secret* without revealing it. 

o 

'o 



IBac02] 

[Bis03] 

[Bis05J 
[BIa031 

[BWOO] 

!C:nu99] 

[DF04] 

SDHH3} 

[Eng99| 

[For06] 
I'ForOTl 

[FraOl] 

[GarOlJ 



V^rr n T. Invitation to Cryptoiogy, Upper Saddle River, NJ: Prentice 
2002. 

Bis^, D. Cryptography with Java Applets. Sudbury, MA: Jones and 
Eiar[]B^>2D03. 

Bishop, Computer Security. Reading, MA: Add is on- Wesley, 2003. 

BiahuL Uxflgebraic Codex far Data Transmission. Cambridge: 
Cambridge (jiuversky Press, 2003. 

Brassoud, D. s etna Wagon. S. Computational Number Theory, Emervil!e. 
CA; Key Colle£%, 

Coutinho, S- Thg MGtlptmutics of Ciphers. Naiick, MA: A. K. Pelers, 
1999. V" . 

o 

Dammit, P., and ¥ooXt 9 R\Ahsiraci Aigebra. Hoboken, NJ: John Wiley 
& Sons, 2004. V>* 

Doras wamy, K, and Harkia&m. IPSec. Upper Saddle River, NJ: Prentice 
Hal J, 20O3. q 

Durbin, J. Modem Algebra. Hol^sen. NJ: John Wiley & Sons, 2005. 

Hnge, A. Elliptic Curves and TBeiw Applications to Cryptography. 
Norwell, MA: Kluver Academic, 19^. 

Forouzan, B. TCP/IP Protocol Suite. jQ^York: McGraw-Hill t 2006. 

Forouzan, B, Data Communication and wetworkii 
McGraw-Hill, 2007. 



ing. New York: 



Frankkeh S. Demystifying the IPSec Puzzle, Norwood, MA: Artech 
House, 2001, 

Garret, P. Making. Breaking Codes. Upper Saddle. River, NJ: Prentice 
Hall, 2O0 L 



707 




EREMCES 



I Kah 96] 

IK PS 02] 

[LEF04J 

[Mao041 

IMQV97] 

[PHS03] 

[ RcsO I ] 
JRhe03| 
[R os 06 ] 

[Sal031 

[Sra06"[ 
iii.06] 



■ 

KaJjn, D. The Codehreakers: The Story of Secret Writing. New York 
Sciib^ 1996; 

KaufinvftQ, P&rfraaii h R. n and Spbciner, ML Network Security. Upper 
Saddk R^y\ NJ: Prentice HaU. 2001. 

Larson. R,, Elands, B. F and FaJvr> a D. Elementary Linear Algebra. Boston s 
Houghton Mi^n, 2004 

Mao r W. MoJej^ryptojfflapAy Upper Saddle River, NJ: Prentice Hal] 
2004. y£> 

Menezes, A- Oors^U* , and Vanstcmc, & Handbook of Applied 
Cryptograpy. New YcYpCRC Press, 199*7, 

«i-Seberry h J. Fundamentals of Computer 
Security. Berlin; Spdnger,v003. 

Rescorla, E. SSL and TLS. I^je^ng, MA: Addison- Wesley, 2001. 
Rfiee, M, Internet Security. Hob^n, NJ; John Wiley & Sons, 2003. 

Rosen, K, Elementary Number Thfttfy. Reading, MA: Addison- Wesley 
2006. X ^ Jl 

Solomon, D. Data Privacy and Securify Berlin: Springer, 2003, 

Schneier, B. Applied Cryptography. Re attfgJWA: Addison- Wesley 
1996. J 

Stalling*, W. Cryptography and Network frcuf^Uppcr Saddle River 
NJ: Prentice Hall, 2006, v £> 



Stinson, D, Cryptography: Theory and Practice. Ne^oric Chapman & 
Hall/CRC, 2006. *\J 

Thomas, S. SSL and TI*S Essentials. New York: JohnQitey & Sons 



[TW06] Trappe, W., and Washington, L. Introduction to Cryptogrankyand 

Coding Theory. Upper Saddle River, NJ; Prenlice Hall, ZOOftr'L 

[Vau06] Vaudenay, S. A Classical Introduction to Cryptography. Ncv^Mk: 



A 



Springer, 2006, 



i 



2DES See double- DBS 
3t$3& $m triple DE5 

A 



ml] 242^244 
abclian group 98< 322 
access control 7. 8 
active attack 5 
additive cipher 62-63 

Caesar cipher 62-63 

cryptanalysis 63 

shift cipher 62-63 
additive inverse 35 

elliptic curve 324 
addressing 604—605 
Address Resolution Protocol 



\J InvAddRomidKcy / 
-r C\ t n ver&e cipher 2 ! 3 
^vSubBytcs 19& 
key <cxpans.ion 207 
^y-^dmg 206 
MfeColutrms 204 
misi^>203 

n umbcz-lVi' round s ] 92 



AddRoundKey 206, 3 

Adobe Vij&t .ScnpL 495 

Advanced Encryption Standard 
(AES) 19] 
AddRouudKey 206 
MlU'Ciiur \c rl^inii 2 \A 

bits 193 

brute- force al tack 219 
bytes 193 
cipher 213 
differentia and linear 

attacks 2J9 
implementation 219 



original design 213 
permutation 202 
round cons?auj£> 209 
security 21$0 
state 193 \S 
.statistical attacks^ 9 
Stru et u re. of each (~\ 
round 195 V>* 
SubBytes 196 \\ 
substitution 396 
word* 193 O 
AES See Advanced Encrypt iotK 

Standard 
affine cipher 66-67 
AH See Authentication 

Header 
Alert Protocol 526 
al gebraic si ructures ] 9 , 97 
American National Standards 

Institute (AN5I) 600 
American Standard Code' for 
Information Interchange 
(ASCII) 593 



anonymous Difi&e- 
Hellman 510 
AND operation 106 
AKSl X9.17 PRNCi 636 
application layer 602 
AS See authentication server 
ASK Algorithm 261 
ASN.l 456 
associativity 98 
asymmetric-key ciphers 57 
asymmetric-key 

cryptography 293 
asymmetric- key 

enciphcniumt 9 
asymptotic complexity 641 
^.synchronous stream 

cipher 154 
Atbasb cipher 96 
attack 3 
cbosen-ciphertexl 60 
chosen -plaintext 60 
^ ciphertext-only 58 
V discrete logarithm 449 
Oknown-ptairitcxt 59 
v ^^n-iu-the-middle 449 
masquerading 4 
modification 4 
On digital signature 395 
on implementation 309 
on random Oracle 
Model 347 



70<> 



\ 305 

K signed digests 399 

iecryptioEi 

nent 307 

ssicryptian 

nenl 306 

modulus 309 

i lion 4 

aing availability 5 
niug confidentiality 3 
ning integrity 4 
inalyjiis 3 
ation ft. 339 
ation data 553 
ation exchange S 
:iallon Header 
552 

feation delta field 554 
55 

ader field 553 
cc number 554 
id 554 

ation Server (AS) 4-14 

cipher 6y 

ty 1-3 

s effect 175 



il technique 4?? 

rL delivery 603 

station 641 

oration 20 

: 430 

;y 433 

itions 434 

ligation 431 

sral techniques 433 

nents 431 

+33 

afcni 43 1 
33 

:ceptance rate 
V) 434 



false rejecti on rate 
(FRR) 433 
M^firigerpritH 432 
^ands 433 
(fcj^ritification 432 
ir^r432 
kejdrfjkE 433 

pbysjomyica! techniques ■■532 
retina ^482 
signatureTl33 
verification^ 1 
voice 433 
birthday probkmfrv345, 346 h 

61 1-613 
bit-operation com^it^ 639 
bit-onented cipher 
blind signature schemed* 10 
block cipher »9, 125 ^\ 



Blum Blum Shub (BBC) 
brute-force method 58 
bucket brigade attack 45 J 



CA See certification authority 
Caesar cipher 62-63 
cardinality of primes 252 
CAST-] 28 637 
cave example 42 8 
CBC See cipher-block chaining 
CBC MAC 356 
certification authority 

(CA) 454 
CFB See cipher feedback 
ch a] len ge- response 

authentication 421 
using nsymmetric-key 

cipher 424 
■ using digital .signature 425 
using keyed-hash 

functions 423 
using symmetric-key 

cipher 421 
ChangeCipherSpec 

Protocol 525 



character-oriented cipher 123 
Chinese remainder 

theorem 27«75 
chosen -ciphertext 

attack 60, 306 
chosen -message attack 395 
chosen-plaintext 

attacks 60. 65 1 
cipher 56 P 123 
arhne (y6 
Caesar 63 

tnonoalphabeiic 6 J 
poly alphabetic 61 
substitution 61 
synchronous stream 149 
u-ansposfrjqn 80 
Vigenere 72 
cipher-based message authenti - 
cation (CMAQ 355-356 
cipher block chaining mode 

(CBC) 227-230, 357 
veipher feedback. {CFB) 
*Q mode 231 
^^hex suite 512 
Yi^ertext 56 
crnniy-text stealing 

I) 22S. 230 
uiphe^§=kt-on]y attack 58 
brus^f^ce attack 58 
pattern. ^rriHck 5y 
statisti-cV^ack 59 
circular notWion 32 
circular shift 135 
circular shift orJ^don 135 
claimant 415,41^^ 
classical probability^^ 
assignment 608^ 
Clien 1 1 fella Message 531 
clogging attack 564 
closure 98 

CMAC cipher-based 
message authentication 
code 

CMS See Cryptographic 
Message Syntax 



% 

cods book W 

collision iesistaf!ce„i40-342 
column matrix 40J*> 
combine operation v ^Jri 
commutative grrtup 
com mutative ring HH/) 
CQmmutativily 9B C\\ 
completeness effect 176 ^ 



711 



complexity 639 

asymptotic 64] 

foil operation 639 

constant 642 

exponential 642 

hierarchy 642 

login mrnic 642 

of a problem 64!? 

of an algorithm 639 

polynomial 642 

subex ponential 642 

superexponeniial 642 
complexity hierarchy 642 
complexity of a problem 639 

coiN-P class 643 

NP class 643 

P class 643 
complex iry of an 

algorithm 639 
components of a modem block 

cipher 128 
composite 252 
compression ] 30 
com predion function 364 
compression P-box 130 
compression permutation 172 
CO] nputah onal probab ility 

assignment 60^ 
conditional entropy 617 
conditional probability 609 
con fidentia lily I, 2, 339 n 394 
confusion 137-138 
congruence 30, 679—681 
congruence operator 30 
congruential generators 634 
connection 5\5 



connection-oriented service 

TCP 603 
con trolled trusted center 454 
coprime 252 
counter (Cl'R) mode 236 
CRT See Chinese remainder 

theorem 
cry pta n a] y sis 57^63, 70 
chosen-cinhertext attack 60 
cbosen-ptaintexi attack 60 
y** ctphe rtext-on I y attack 58 
v^S known-plaintext attack 59 



cftptograpmc 
^ ijjncuon 340 
Cryptographic Message Syniax 
493 

cryptography 9, 55 
cry pLos Wljrn- ba sed 
generals. 636 
CTR See counter 
cyclic group\J03> 284 
cyclic subgroup Iffi 

D y> 

data con fi den I i a] i ty 
Data Encryption 

(DBS) 159 
alternative approach 

design 170 
analysts 175,219 
as Feistel cipher 163 
avalanche effect 175 
brute- 1'orce attack I ft 5 
cipher and reverse cipher 167 
cipher key 170 
completeness effect 176 
compression 

permutation ]72 
design criteria 176 
different! al crypt an a! y si s 1 85 
double DLiS 182 
expansion P-box 1 63 
first approach design 167 



o 



fundi on 163 
history 159 

iniiial and final 



permutations 160 
key complement 181 
key generation 170 
linear cry ptaiialy sis 186 
meet- in-f he-middle 

attack 183 ~ 
number of rounds 177 

Boxes 163 
possible weak keys 1 £ I 
properties 175 
round key 170 
rounds 163 
5«Boxe* 1(4, 176 
security 185,219 
semi-weak keys 179 
shift left 172 
straight permutau" oil 167 
structure 1 60 
triple DES with three 

keys IS4 
triple DBS wiLh two 

keys 184 
weakness in the cipher 

key 178 
weaknesses in Cipher 177 
XOR 164 
data integrity 8 
data link layer 604 
data units 193 
data-expansion function 539 
datagram 6Q2 
d^-origin authentication 

Da^s-Meyer Scheme 366 
decidable problems &•'.) 
decryption 303 p 315, 318 
denial of service 5 
DPI 3 See Data Encrypt ion 

Standard 
determinant 43 
deterministic algorithms 260 



with 

. 418 
encoding 
analysis 



645 



es 651-652 
147, 564 



A digram 64 

^^>iophan line equations 28 
4Jfscrete logarithm 281, 

• 317,449 
dis^ujjviry 104 
divif^ty 22, 679 
" Lest 260 
Dorriaii 



m attack 449 

447 

die 



8 

B, 389 
>5 

attack 395 
ry 395 

attack 395 
tication 393 

ty 393 

n 390 

tuu 390 

ASgorhhm 

*L.hcme 

Standard 

406 
gning 4$6 
407 



[cm 



double DE^ZDES) 182 
double transposition 

ciphers 86v^S 
DSA $k Digitat v ^Wstwrt; 

Algorithm \A 
DSS &p Digital Sigr^ure 

Standard 



ECB See electronic 

code book 
ciphenext stealing: 228 
security issuer 227 
electronic codebook mode 

(ECB) 226-^228 
EJectronic Industries 

Association (EIA) 600 
BiGamal 317-321 
decryption 329 

digital signature scheme 
400 

elliptic curve 329 
encryption with elliptic 

curve 328 
forgery 402 
keys generation 400 
verifying and signing 400 
elliptic curve 321,326-327 
elliptic curve cryptography 

simulating ElGamal 328 
elliptic curve cryptos-y stein 

(ECC) 321 

elliptic curvi* digital signature 
scheme 407 



key generation 408 
signing and verifying 408 
elliptic curves over GF(2 rt ) 326 
elliptic curves over GF(p) 324 
elliptic curves Over real 

numbers 321 
e-mail 

architecture 467 
certificates 470 
cryptographic 

algorithms 469 
cryptographic secrets 469 
message access agent 

(MAA) 468 
message transfer agent 

fMTA) 468 
security 469 
user agent (UA) 468 
Encapsulating Security Pay load 
{ESP) 552 -554 
^^VcrLciphcrmesH 7 
C encryption 303, 315, 318 
Qwcryption algorithm 56 
egd-to-end security 

ywvices 507 
Enigma>nadiinc 79-80 
antity^uihenticarjon 415 
and kbyAnanagemcnt 416 
somctHj^nhenent 416 
sqmethinjj^iown 416 
something^5^essed -186 
verification calories 416 
entropy 616^ lV^ 
ephemeral Dtffie- Bellman 510 
Eratosthenes 254 • 
error in transmission Ifa 
error propagation 227, 2(Rh 
233, 236, 237 
AH protocol 555 < 
authentication data field 555 
next header field 555 
procedure 554 

sequence number field 555 
Sf I field 555 



* 



Y 



ESP 5*1 Imeagfcu Sating Security 

Pay load 
Euclidean algorithm 24, 

679,680 ^S*> 
Enter** pbi-futictiol054 F 683 
Euler's theoicm 2Sf(MB>684 
Euler's criterion 276 y ^< 
Euler's toueni function > £M ■ 
exelusive-or 133-135 \N* 
exhaustive-key search Qv 

method 58 v^) 
existence of identity 98 
existence: at inverse 98 
existential forgery 395 
expansion P-Boftcs 130 
expansion permutation 163 
exponentiation 278, 279 
exponentiation and 

logarithm 278 
extended Euclidean 

algorithm 25, 37, 

112. 681 



factorization 267 
factorization attack 306 
factorization mcdiod 

268-271,273 
false acceptance rate 

(FAR) 433 

433 

FAR j&£ raise acceptance rate 
fast exponentiation 279 
Federal Information Processing 

Standard (HPS) I59 r 

192,559 
federal register. 192,599 
feedback function 150 
feedback .shift register 1.50 
Feige-FiaL- Shamir 

Protocol 429 
Pelstel cipher 139-142 



Fermat 256, 259 
Fermat factorization 

method 269 
Fermat method 269 
Fermat primes 259 
Permanent 262 
Fcrmat's Little 

Theorem 256,282 
F i at-Shamir Protocol 42 7 
File Transfer Protocol 
(FTP) 602 
v>* fingerprint 340 
\^fiTiite field 106 
>r Galois field 106 
vflmcp group 10 1 
K(PS See Federal Information 

\Aocessing Standard 
fixeapffie-HdlmaiL 510 
(ixed password 416 
rlat muWfc> KDCs 439 
forgery t^es 395 

FRR See fals^ rejection rale 
FS'R See feedbaefc sliift register 
full -size key bkkrft * 
ciphers 126^27 
fund ion 297 O 
Fundamental ilieoi^i^f 
Arithmetic 267 fc 68r5C\ 

G o 

Galois field 106 
gcd $££ greatest common # 

divisor 
generating primes 258 

GH2 n ) I OS 
GF(p) 107 
00(p n ) 106, 107 
Global .System to: 1 

Mobile Communication 
(GSM) 242 
CMS See Global System for 
Mobile Communication 



INDEX. 713 

greatest comm-un divisor 

(gcd) 23,267 
group 98, 103, 104 
G n illou-Quisquater 

Protocol 429 

II 

halting problem 643 
Handshake Protocol 

5LS-524 
hash function 339-365 
criteria 340 
meet-in-thc-middle 

attack 352 
hash functions based on block 

ciphers 365 
hash functions made from 

scratch 365 
hashed message authentication 

code (HM AC) 355 
hashing 10 
1 1 AVAL 365 

HelloRequest Message 531 
hierarchical multiple 

KDCs 439 
Hill cipher 75-76 
HMAC See hashed message 

am her/ti cation code 
HTTP See Hypertext Transfer 

Protocol 
Hypertext Transfer Protocol 

(HTTP) SOS, 602 




See Internet Architecture 
,Boani 
LCANN See Internet 
Corporation for 
Assigned Names and 
Numbers 
IDEA 637 
identity matrix 4 I 



4 



'e Institute of Electrical 
Electronics Engineer? 
te Internet Engineering 
fiiig Group 

e Internet Engineering 

[ Force 

Internet Key Exchange 
ivcr I I 

d Ditlic-Hellman key 
langc 563 

SPD 5f:i 
jXonp |() J 

ion theory 615, 633 
■clot (TV) 229 
i (ipad) 355 
of Electrical & 
honies Engineers 
E) 600 
rithmclic 20 
i vision Zl 
3 

h% 339 
Jiocol 554 
ig 340 
tectivity 595 
)nat Organization for 
fMization (ISO) 599 
■tmE Telecommunication 
i — Te. \ ect >m m i ?] tica i ioj 1 
brdijjation Sector 
T) 6, 599 

snaj Telecommun ica- 
Union (ITU) 599 

m 

dm i nitration 597 
ktcJiiiecturc Board 
j 597 

-ontroJ Message 
colflCMP) 604 
'orporaUon for 
rii-M:! Names and 

WFStfCANN) 599 
n^Liieering Task Force 
) 598 



^ptemet Engineering Steering 

Group (ICS G) 599 
fiitejjLei Group Message 

VPr^ocol (IGMP) 6m 
Intersil Key Exchange 

aggresri^ mode 573 
digital stature method 

main mode 
original ptibjT^Jey 

method 570^3 
phases and modest 
piesii ared seenit-k& C\ 

method 569 
quick mode 575 ^ ^ 
revised pubiic-key \ ^ 

method 571 t 573 O 
Internet Protocol (IP) 603 <^> 
Internet Research Steering 

Oroup.SwJRSG 
Internet Research Task Force 

(IRTF) 593 
Internet Security 

Association and Key 

Management Protocol 

(ISAKMP) 563 

Interact Society (ISOCJ 598 
interoperability 595 
inverse 35-1 16 

additive 35 

multiplicative 36, 301 

polynomial 112 
invertibility 131-135 
inverttbte function 297 
Inv MixCo] urn Ens 204 
hivShiftkows 202 
InvSubBytes 198 
IP See Internet Protocol 
IP address 603-605 
ipad See input pad 
IPSec See IP Security 
IP Security (TPSec) 549 
access control 556 



AH versus ESP 555 

authentication Henries' 

(AH) 552 
clogging attack 564 
confidentiality 556 
Encapsulating Security 

Pay load 554 
entity authentication 556 
IKE Phases 566 
inbound SPD 561 
[[iternet Key Exchange 

(IKE) 563 
ISAKJVIP 563,578 
nian-in-the-middle 

atuicfc 565 
message integrity 556 
modes 550 
Okfey protocol 563 
outbound SPD 560 
Perfect Forward Securi ty 

(PFS) 576 
protocols 549 
[ay attack 565 
jty association 
■) 557 

seenrfft Association Database 

Securttfflalicy (SP) 560 
Security wjjcy Database 

(spd) "my 

services prov©d 555 
transport mode^O 
tunnel mode 55 1 
IPv4 555 # ^ 

IPv6 555 V. * 

irreducible and prirnitivO. 

polynomials 621 
irreducible polynomials 

]£», 621 
ISA KMF Interne* Security 
Association and Key 
Management Protocol 
ISO^e International Organisa- 
tion for Standardization 




ISOC See Jn^gjsiet Society 
iterated hash Section 363 
mj See International Tfelecom- 

munieation Upwji 
ITU-T Internal*^ 

Tc locommu nicaTi^nl 

U nipn-Teiecomnn^ca- 
tion Standaidizationv^tietor 



7LS 



TV ifetf iniliafc vector ^ 



joint eiiEiopy 617 
joint photographic experts 
group ( JPEG) 495 

K 

Kasiski test 74 

KDC See key -distribution 

center 
Kerberos 443-44*5 

am he nti cation server 444 

operation 445 

real server 445 

realm 447 

ticket-granting server 444 
KerckhofFs principle 56,57 
key 56 

affine cipher 66 
key complement 1 H I 
Key Distribution Center 
[KDC) 438-444 

AS 444 

flat multiple 439 

hierarchical multiple 439 

Kerberos 443 

Needbani-ttcbrocder 
Protocol 441 

Glvvay-Rees Protocol 44 1 
key domain 57 

multiplicative cipher 65 
key expansion 207-212 

AES-12S 20$ 

AHS-192 212 



AHsS-256 2 J 2 
RocWord 209 
SubWord 209 
key generation 242, 244 n 302, 

315,318 
key management 244 
key material 514 
key rings- 472 
key schedule 137 
keyed transposition ciphers 82 
key -generation group 302 
ktiyEc.SK ciphers 128 
\^ keyless substitution ciphers 128 
v^eyitss transposition 
^ciphers 81, 128 
keenly attack 395 
loiWacJt cry ptosy stem 298 
Imo^-jucs sage attack 295 
knowrlCniaiiuexE attack 59, 320 

L 

I -agra nge's tJ^rem 1 04 
Las Vegas algorithms 644 
least common ni»W3p!ier 

(Icm) 267 \ J 
least residue 31 ^ _ 
Leinpcl Ziv encod,jng\(liZ) 
LFSR See linear feedl^iksbiE't 

register \§\ 
linear algebra iy 
linear cipher 150 
linear congruence 45 
linear congruential 

generator 634 
linear cry ptanaly sis 147 h 

186 S 655 
linear Diophanline 

equation 28 
linear feedback shift register 

(LKSR) 151 
linear profile 655 
linear S-box 132 
Linear versus nonlinear 

S Roses 132 



v6 



o 



linearity relations 655 

link address 005 

list of e reducible and primitive 

polynomials 621 
logarithm 28 ] 
low-modulus attacks 320 

M 

MAA See message access 
agent 

MAC See message authentica- 
tion code 
main diagonal 41 
majority function 243 
ma n-in-the- middle attack 

449-451,565 
MASH 361 
masquerading 4 
master secret 514 
matrix 40—44 

addition 41 

additive inverse 44 

column 40 

congruence 45 

determinant 43 

equality 41 

identity 41 

inverses 44 

main diagonal 41 

multiplication 42 

multiplicative inverse 44 

operation 41 

residue 44 

row 40 
^^calar nui 3 ti plication 42 
Quare 4fl 

s^raetion 4] 
M a was- Meyer-Oseas 

scheme 366 
maximum entropy fj\6 
MLy $ee Message Digest 
MD's 365 
meet - i u- Lbe-middlc 
attack 183,352 



flffine cipher 66 
cryptanaiysi^ 69 
.^noalphabclic 



^syftstituticm fig 
nitym^licaiivt: ciphers 65 



MontA^Barip algorithm 644 
Movie l^sp^re Expert Group 

JtvtTA See manage transfer 
agent .> 



multiple DES 
multiplicative ci^fier 65 
nuikiplicalive invfcQe 

36, 301 \£\ 
Multipurpose Internet ^\ 
Mail Extensions ^ w 
(MIME) 492 
audio data type 495 O 
content-description ^> 

header 498 ^ 
ton tc n t*transf er-e needing 

header 496 
content-type header 493 
encoding 496 
headers 492 
image data type 495 
message data type 494 
multipart data type 493 
WVT ASCII 492 
[cut data type 493 
video data type 495 

N 

National Inslituk' ot L Standarris 
and Technology 
(NJST) 159, J 9 1, 599 

National Security Agency 
(NSA) 160 

Ncectfr ani-Sc h roeder 
protocol 441 

NESS IE See New European 
Schemes for Signature, 
Integrity, and Encryption 

network layer 603 



New European Schema for 
Signatures, Integrity, and 
Encryption (NRSS)E) 376 
NIST See National institute- of 
Standards and Technology 
NLFSR See nonlinear feedback 

silift register 
nonce 4 10 n 411 
noii-Peistel cipher 143, 192 
nonlinear feedback shift 

register (NLFSR) 153 
nonlinear S -ho k 132 
nonrepndiation % 393 
nons ingular ell ipti c c urvc 322 
nonsynchronous stream 

ciphers L 54 
notarization 8 
NSA See National Security 

Agency 
number held sieve 273 
/r\ number of primes 253 
^ number theory 19 



«5 



OAEEJcff op Limy I asymmetric 

ekcryotion padding 
Oakle^vprisiocol 563 
OFB ^etj^fcput feedback 
one-time jja^7H T 149 
one- lime password 416-420 
one-way I'uncftrjWOWF) 297 
opad See uutpiafspad 
Optimal Asymnieiic 
Encryption Pad^lrjg 
(OAEP) 311 Q 
order of a group 10 1 ys\ 
Order of an element 104V^ 
OS1 model 55, 602-604 
Otway-Rees protocol 441 
outbound SPD 560 
output fee*] hack mode 

(OFB) 234-236 
output pad (opad) 356 
OWF See one-way function 



p 



% 

P class 643 
padding * ^ 

AH. protocol 

ha^h algorithm; 

parity drop 170 
partial-size key 

ciphers ]27-]28 VT\ 
passive attack 5 ^ 
passive versus active 

attacks 5 
password 416 420 
dictionary attack 418 
fixed 416 
one-time- 416 
sailing 439 
password-based 

authentication 416 
pattern attack 59 
P-box 129-131 
Perfect Forward ..Security 

(PFS) 576 
perfect secrecy 6 L 8 
penii utation box 

(P-box) 129-131 
permutation group 100, 
127, m 

PFS See Perfect Forward 

Security 
PGP See Pretty Good Privacy 
PGP PRNG 637 
phi - function 254 
physical address 604 

ARP 603 

authority 605 

RARP 603 

size and format 605 
physical layer 604 
pigeonhole principle 345 
Public-Key 
Infrastructure 
plaintext 56 
plaintext attacks 308 
PI ay fair cipher 70-71 



Poland /j- I factorisation 

method 270 
Poland rho fccionzalion 

method 271 
poly alphabetic substitution 
6K69 
Enigma Machine 79 
Hill cipher 75 
one- rime pad 77 
Play fair 70 
rotor cipher 7S 
Vtgenere 72 
Polybius cipher 96 
polynomial 108 
\$)> addition 1 10 
^^dditive inverse 110 
jpcdulus L09 
multiplication 1 3 ] 

multiplication using 
oo^wter 1.13 
port ad«J*ress 605 
possible keys 1 S 1 
preiniage resistance 340,341 
pre master secrp|^5 i4 
Pretty Good Pfesicx 
(PGP) 470 V 
certificate inessa@ 49 1 
certi heater 475 Q\ 
code conversion 472 r\ 
compression 471 Jj\ 
compression algoritnrW 474 
confidentiality with one 

session key 471 ^ 
encrypted message 49U 
hash algorithms 474 
key revocation 4S2 
key ring tables 477 
key rings 472 
message integrity 47] 
messages 490 
packets 484 
plaintext 470 
public- kniy algorithms 473 
segmentation 472 



O 



INDEX 717 

signed message 491 
symmetric-key 

algorithm* 473 
trust model 4&3 
trusts and legitimacy 475 
web of trust 4B2 
PRF See pseudorandom function 
primality testing 2-60-266 
prime factors 627 
prime polynomial 109 
primes 25 \< 253, 259, 
623, 682 
check for primeness 253 
Dime-llellman 450 
infinite number 253 
RSA 311 
smallest 252 
primitive polynomial 

153, 621 
primitive roots 283,631 
private key 294 n 453 
PRNG See pseudorandom 

nu mber generator 
probabilistic algorithms 644 
Las Vegas algorithm 644 
Monle Carlo 644 
probabilistic relations 651 
probability 607^509 
assignment 608 
axioms 609 
classical 60H 
computational 609 
conditional 609 
d el in i dons 607 
event 608 



outcomes 607 



CXnropertics 609 

<^fendom experiment 607 

random variables 6 1 0 
sample space 607 
statistical 608 
product ciplier 136, 137 
pseudorandom function 
(PRF) 539 



^ACli Integrity Primitive? 

Evaluation Message Digcsl 
• fRIPMED) 365 
Ra^6^ 496 
randtffmtirEiclc mode! 
akerrrafi) cottision 

colli siorKaWk 349 

preiiriageyiL:k 347 

second preiiQi^e attack 34S 
random experirfteplt 607 
random n u m ber gejifef ators 

(RNG) 24S t 
random oracle moder rv 
random variables 610^ 
RC4 233-245 O 
realm 447 y** 
Record Protocol 526 fA 

compression/ S 
decompression 527 proof 304 

encryption/decryption 529 

fragmentation/ 
combination 527 

framing/defrqining 529 

signing/verifying 528 
relatively prime 36,252 
replay attack 44 f , 565 
rep laying 4 

repudiation 4 
Request for Comment 

(HFC) 595-557 
residue 29 

residue class 31 
residue matrices 44 
reverse address resofution 

protocol, See R.ARP 
RFC See Request for 

Comment 
Rijndael 192 
ring [04 

RTPEMD-160 365 
RIPMED See RACE Integrity 

Pri ml Lives Evaluati on 

Message Digest 



RNG See random number 

generator 
rotor cipher 7g 
RotWord 209 
round characteristics 

65 1-655 
round constant 209, 382 
rounds 137 
routing 

network layer 603 
routing control H 
row matrix 40 
RSA 293,301-309, 
312,314 
attacks 398 
cry ptosy stem 301 
digital signature scheme 396 
key generation 396 
flu inter erf bits 310 



wecommendations 330 
vHifining and verifying 397 
•Jj^mroJssion cncdia 312 

S \ 

SA purity Association 
SAD J^^fepurity Association 

Dat;abaskj* 
salting 419 X\) 
sample space 6(j[T) 
S-box (32, 133 s l& 
scalar 42 ^ 
S-cluLorr proiocol 403-jA[5 
digital signature O 

scheme 403 O 
forgery- 1 405 
key generation 403 
signing and verifying 404 
SCTP See Stream Control 
Transmission RroU)eoi 
S-DHS 

second pre image 

resistance 340-342 



secrecy 
secret key 

Secure Hash flgorkhm 

"(SHA) 36? 
Secure Hash StarWlaMx 

Secure Sockets LayeiC^Sp 

1 i 



Protocol 507 
Alert Protocol 526 
anonymous Diffie- 

Hellman 5 It) 
architecture 508 
ChangeCiphcrSpee 

Protocol 525 
cipher suite 512 

compression 5015 
compression algorithms 513 
confidentiality 50ft 
connection stare $ 1 5 

cryptographic para meter 

generation 513 
DES 511 
ephemera] Diffie- 

Hcllmari 510 
fixed Dirfje-Hellrnan 510 
Fortezza 531 
four protocols 517 
Crag mentation 508 
Handshake Proti>co? 

518,530 
IDEA 51! 

key exchange algorithms 509 
key material 514 
master secret 514 
MD5 512 

message formats 529 
mcii&age integrity 50K 
pre-mastcr secret 514 
Record Protocol 526 
services 508 

session and connection 5 1 5 
session .Bute 516" 
SHA-1 512 
stream RC 5 1 I 



Secure/Multlpitrpose Internet 
Mail Extension 
[S/MXME) 492-^9S 
applications 502 

cryptographic algorithms 50] 
Cryptographic Message 

Syntax (CMS) 49% 
key management 500 
security 7,317, 320, 330 
Security A ^soc La don (S A) 557 
Security Association Database 

(SAD J 55 S 
security goal 
v^) availability 3 
^r^onfideriuality 2 

j^egrity 3 
&c&uriry; mechanism 7 
secii^itvjjaraincter index 

(S$) 554 
Securityri*pliey (SPJ 560 
Security Pwflfcy Database 

security servrees 6 
£eed 634 • > 
selective fo<rgcryy^6 
semi- weak keys l^p^ 
services and mcchanj 
session key 439,440? 

447,564 
session state 516 
set of integers 20 
set of least residues 

modulo n 30 
set of linear equations 46 
seta for addition and 

multiplication 39 
seudorandom number generator 

(PRNG) 633 
SHA *W Secure Hash Algoridirn 
SUA 365 
padding 369 

word expansion 370 
SUA- 1 

message lengjb 36 B 




INDEX 71!> 

SHA-512 363,367 

compression function 372 

final adding 372 

initialize uon 371 

fengtb field 369 

message preparation 368 

structure of round 373 

words 370 
shared secret key 56 
shift cipher 62^53 
shift register 1 50 
Shi ft Columns 380 
ShiftRows 202 

SH3 See Secure Hash Standard, 
sieve of Eratosthenes 254 
signing algorithm 390 
Simple Mail Transfer Protocol 

(SMTP) 502, 602 
Simple Network Management 

Protocol (SNMP) 602 
Simplified AES (S-AES) 667 
AddRoundKey 675 
bil 668 
block 669 
ciphers 677 
data units 66S 
InvMixCoSunms 674 
InvSbiftRows 673 
InvSubNibbles 672 
key expansion 675 
key- adding 674 
MixColumtls. (573 
mixing 673 
Nibble 669 
^rmutation 672 
LotWord 676 
sd constant 1 ? 677 
rompJs 667 

StafttRows 672 
state 669 
SubNibblcs 671 
substitution 671 
SubWord 676 
word 669 




7> 



^statistical attack 59,64 
statistical probability 
* -assignment, 60S 
.tt^agpgraphy ]0 

straig^ernimation 167 
stream aij^Mock ciphers 87 
stream c$ter 87 > 238 
Stream CaWd Transmission 

rrp> 503 

strong collisio?^42 ; 358 
strong psecdopri^ *2f>3 
SubBytes 196. 37?^ 
subgroup 102 i C\ 
substitution 61, [2<j >r 
substitution box (S - bt>x> , 

132--] 33, 164 V 
substitution cipher* {jO h 123^ 
monoalphabctic ciphers 6l<^> 

super-increasing tuple 29K 
swap operation 336 
swapper 142 

symmetric-key 124 
symmetric-key agreement 447 
symmetric-key cipher 56 
symmetric-key 

cryptography 293 
symmetric-key distribution 43S 
symmetric-key eneiphcrment 9 
synchronous stream cipher 149 



Taylor's series 613 

TCP See Transmission Control 
Protocol 

TCP/IP Protocol Suite 60 ] 
TCP/IP See Transmission 

Control PnotocoWmcmei 

Protocol 
TELNET 'g$ TERMINAL 

NETWORK 



TERMINAL NETWORK 

(TELNET) 602 
TGS See ticket-granting server 
ticket 441 

i icket- granti ng server (TGS) 444 
time complexity 639 
limestamped digital, signature 

.scheme 409 
time stamped signatures 409 
TLS See Trail sport Layer 

Security 
lot sen t function 254 
TOWF See trapdoor one-way 

nunction 
iraditional .symmetric-key 

ciphers 55 
traffic analysis 4 
traffic paddtng 8 
TYammissian Control Protocol 
(TCP) 603 
/eXran emission Control. Protocol/ 
^ Internet Protocol 
• J>TCP/TP) 601 
tr^Wt layer 602 
Trm^pott Layer Security 
(T0) 507-543- 
AlertlfomcHzol 542 
Cmiftk^erify 

MessagrfJ43 
cipher 

tla tfl - ex pans i ©f u ncii on 

539 ^ 
Finished Message. 543 

generation or cryptographic 

secret*. 539 ^ 
Handshake Protocol 

A 

key material 542 vj> 
masicr secret 541 
pre-rnaster secret 541 
pseudorandom function 
(PRF) 539 

Record Protocol 543 
version 539 




INDEX 721 



transport \&d$c 55- 
Ifanspositidjjiaphcr 60 n SO, 125 

cryptanalys^ 85 
double 86 
keys S3 
P-box 129 
trapdoor 297, 300 V^> 
ttapdoor one-way funqfion 
(TOW) 296-297 (^) 
trial division factorization^) 

TRNG 633 \> 

true randoiti Hiijti be r generator TU , „ 0 „ 
/rrnvTf1 ^ , c ^ ^analysis 3S4 

C preparation 376 



method 26£ 
Ingram 64 

triple DES (3DE5) L S4- 



V 

verifier 415 

verifying algorithm 390 
Vigen ere cipher 72 
crypLanaJysis 74 
Ka&iski 74 
'fkbitau 72 

W 

weak collision, 342,358 
weak keys 178 
web of I rust 482 



(TRNG) 633 
trusted cenler 453 
tunnel mode 550-551 
Turing machine fi43 



u 

UA See user agent 
UOP See User Datagram 

Protocol 
undeciduble problems? 643 
undeniable signature 41 1 
user agent (UA) 468 
user authentication 339 
User Datagram Protocol 

(UDP) 602 



sol cipher 377 
A^ffeoundKcy 382 
keysipansLOn 3K2 
Mixfet^i 381 
round Konstants 382 

states and ^locj^g 377 

structure of > 
round 377 > T (< > 

SubBytes 377^^ 
word 370 ^ 
word expansion y>A 

SHA-1 370 \$\ 
word oriented 370 \^) 

o 



x 



X.5U9 456 
certificate 456-547 
certificate renewal 457 
certificate revocation 4.57 
delta revocation 45 R 
X.800 6 
XOR 
DES 164 - 
operation ] 



Z 2 CM4 
zero-know Sedge 

authentication 426^29 
cave. Example 42ft 
Feige-Fiat-Shamir 

protocol 429 
fJahShamix protocol 427 
GuilSou-Quisqualer 
protocol 429 
ZIP 645 
compression 646 
decompression 647 

Z^ 3tt-40 T 9iJ 

z„* 39-40, 

% p 40, 98 

Zg 40 T 98 r 564 



o 



1 



i 



3DES 
A£S 
All 
AS 



cue 

CFB 
CM AC 



CRT 

CTR 

DES 

DSA 

DSS 

ECB 

ECDSA 



FAR 
FCC 
FLPxS 



double DES 



% 

Advanced Entry ption Standard 
Authentication Header 
autrieniication server ^ 
cert.ifitifa5.ioii numority ^> 
a pher-b!ock eh aina n g ^ 
cipher feedback 

eipher-ba-sed message authentication # 
code 

Cry pi graphic Message Syntax 
Chinese ronsnndcr theorem 
counter 

Daiia Encryption SlandaftI 

Digiial Signature Algorithm 

Digital Signature Standard 

eloclfiinLc codebook 

elliptic curve digital signature 
algorithm 

Encapsulating Security Payioad 

t'aSse acceptance rale 

Federal Communications Commission 

Federal information Processing 
Standard 



FKR 
VSK 
gcd 
CMS 

HMAC 
HTTP 
1AB 
1ANA 
ICANN 

Vteke 

o 




IKE Q 
IP 



false rejection rate 

feedback shift register 

greatest common divisor 

GLcrbaJ System for Mobile 
C o mm n n i cati on 

hushed message authentication code 
Hypertext Transfer Protocol 
Internet Architecture: Board 
mtemcl Assigned Numbers Autlroriry 

TniernetCcirp^O-on far Assigned 
Names and Numbers 

Instance of Electrical aftd Electronics 

Engintxrs 
Internet Engineering Steering 



TPSee 
ISAKMP 

ISO 

ISOC 



Internet Engineering Task Force 
Internet Key Exchange 

Intern^ Protocol 

input pad 

✓-fP Security 

* ^rnet Security Association and Key 
artagemcnt Protocol 

IiittJmatifiiiaJ Organization for 
Standardization 

Internet Society 



% 

I n i cmat i o n j ] Tele i- : tti mu nica I ion 
Union v) 

I nterneiionai 1 e ! ecoaimun i cation 
Union— Telccommuireatem 
Standaitf l?.alioji SecWrO 

inMai vector 



key^isudbuiioi-i center 

I jflcftr feedback shift register v^) 

message access agent \^ * 

media access control 

message authentication code 

Message Digest 

message integrity code 

Multipurpose Internet Mail Extension 

message transfer agent 

Maxtrauj-Ei Transmission Unit 

New European Schemes for5ignarure H 
Integrity, and Encryption 

National Institute of Standards and 
TccIitusJogy 

nonlinear feedback shift register 

National Security Agency 

optimal asymmetric encryption padding 

output feedback 

output pad 

one-way function 

Perfect Forward Security 

Pretty Good Privacy 

public-key infrastructure 

pseudorandom function 

pseudorandom number generator 

quadratic nonfe^idue 



QR 
RACE 

KC 
RC4 
RFC 
RIPMED 




S 

SHS 

SP 
SPD 



TCP 
TCP/IP 

TELNET 

TGS 

TLS 

TOWF 

UA 

UDP 
IJEL 

www 



quadratic residue 

Research in Advanced 
Communications for Europe 

round constant 

Ron's Code 4 

Request for Comment 

RACE Integrity Primitives Evaluation 
Message Digest 

random number ^cneratnr 
Rives, Shamir, Adel man 
Security Association 

Association Database 
Stream Control Transmission Protocol 
Seoure Hash ASgorithm 
Secure Key Exchange Mechanism 
Secure Hash Standard 

Secuie/Multiptirposc Internet Mail 
y Extension 

\J Security Poiicy 

V^eciirity Policy Database 

ie^ire Sockets Layer 

TK^»missi.on Control Protocol 

Tra^^isjion Control Fto-locol/ 
In[6^i(eyProtocot 

TERMIN jQnEI WORK 

licket-granlji^efver 

Transport Layer Security 

trapdoor one-wail^uVictjon 

user agent Q 

User Datagram Fmtoc*SjJ) 

uniform resource locator 

World Wide Web 



